CVE-2017-15619

Vulnerability

A command injection vulnerability exists in the pptp_client.lua file of TP-Link WVR, WAR, and ER series devices. The pptphellointerval variable is not properly sanitized before being used in a call to os.execute() or similar, allowing an authenticated administrator to inject arbitrary operating system commands. The exact affected firmware versions are not explicitly listed but likely include older releases of the mentioned device families [1].

Exploitation

An attacker must have valid administrative credentials for the device's web interface. After logging in, the attacker navigates to the PPTP configuration page and sets the pptphellointerval parameter to a payload containing shell metacharacters (e.g., ; command). The injected commands are executed with root privileges. No other user interaction or special network position is required.

Impact

Successful exploitation grants the attacker arbitrary command execution on the device as root. This can lead to full device compromise, including data exfiltration, installation of malware, or use of the device as a pivot for further network attacks. Confidentiality, integrity, and availability are all severely impacted.

Mitigation

As of the publication date and based solely on the description, no official patch has been confirmed by TP-Link. The reference [1] does not provide a specific fix. Workarounds include restricting administrative access to trusted IPs, disabling PPTP services if not required, and monitoring for suspicious configuration changes. Users should check TP-Link's support site for updated firmware that may address this issue.