0. Timeline
0.1 Discovery: 2014.02.05
0.2 Vendor response: TPLINK SUPPORT #34437 at 2014.02.06,
0.3 Vendor issues new firmware for V2 hardware at 2014.02.12
0.4 Vendor confirms at 2014.02.28 that V2 firmware can be used for V1 hardware:
0.5 Disclosure: 2014.04.01

1. Background
TP-LINK is a global provider of SOHO&SMB networking products and the World's No.1 provider of WLAN products, with products available in over 120 countries to tens of millions customers[1]. TL-R600VPN is TP-Links VPN router product that is known for it's "High-security VPN Capabilities"[2].

2. Problems

2.1 Unauthenticated Web Shell
There is an unauthenticated web shell with root privileges access at ip-address-of-the-device/userRpmNatDebugRpm26525557/cmd.htm. By default web interface is open only form the LAN.

2.2. Hardcoded PPTP Credentials
Account debug26525557~!@ with password 26525557~!@

2.3. Other 26525557 HTML Pages

2.3.1 /userRpmNatDebugRpm26525557/up.htm
Page with unknown purpose.

2.3.2 /userRpmNatDebugRpm26525557/start_mp_test.html
Page with unknown purpose. Could be version 2 of TFTP backdoor as explained in [4] and [5].

2.3.3 /userRpmNatDebugRpm26525557/linux_cmdline.html
Explained in [3]. In this version it is fixed as page requires admin password which is configurable by user.

2.3.4 /userRpm/DebugResultRpm.htm
Page with unknown purpose.

2.4. Hardcoded NTP Server Addresses
If there are no NTP servers configured then the device tries to connect to following addresses:
133.100.9.2
139.78.100.163
131.107.1.10
199.165.76.11
140.142.16.34
128.138.140.44
137.146.210.250
192.36.144.22
129.7.1.66
192.43.244.18
158.121.104.4
192.6.38.127
216.133.140.77
140.221.8.88
66.243.43.2

3. Affected Firmware and Hardware
1.2.1 Build 130831 Rel.63039n for hardware V1 and V2

4. References
[1] http://www.tp-link.us/about/?categoryid=102
[2] http://www.tp-link.us/products/details/?categoryid=1678&model=TL-R600VPN
[3] http://osvdb.org/show/osvdb/102757
[4] http://www.scip.ch/en/?vuldb.7970
[5] http://sekurak.pl/tp-link-httptftp-backdoor/

5. Credit
Aivar Liimets, Martem[www.martem.ee]

6. binwalk rules
Check out binwalk.org for future details.

7. Mitigation
Upgrade to firmware "1.2.2 Build 140212 Rel.58039n"(TL-R600VPNv2_en_1.2.2_[20140212-rel58039]_up.bin). Problems 2.1 and 2.3.1 to 2.3.4 throw an "Username or Password is incorrect." error. Account debug26525557~!@ is removed in "1.2.2 Build 140212 Rel.58039n".

APPENDIX - Screehshots
PPTP Log
GUI

APPENDIX - Strings
aivar@suur:~/Projects/TP-LINK/extracted$ strings _r600vpnv1_en_1_2_1_up\(130831\).bin.extracted/squashfs-root/usr/bin/httpd > 130831_v1_httpd.strings
aivar@suur:~/Projects/TP-LINK/extracted$ cat 130831_v1_httpd.strings | grep "debug26525557"
debug26525557~!@ pptpd 26525557~!@ *
aivar@suur:~/Projects/TP-LINK/extracted$ cat 130831_v2_httpd.strings | grep "debug26525557"
debug26525557~!@ pptpd 26525557~!@ *
aivar@suur:~/Projects/TP-LINK/extracted$ cat 140212_v2_http.strings | grep "debug26525557"
aivar@suur:~/Projects/TP-LINK/extracted$ cat 140212_v2_http.strings | grep "userRpmNatDebugRpm26525557"
/userRpmNatDebugRpm26525557/up.htm
/userRpmNatDebugRpm26525557/start_mp_test.html
/userRpmNatDebugRpm26525557/linux_cmdline.html
/userRpmNatDebugRpm26525557/cmd.htm
aivar@suur:~/Projects/TP-LINK/extracted$

APPENDIX - Hashes
aivar@suur:~/Projects/TP-LINK/TL-R600VPN$ md5sum TL-R600VPNv2_en_1.2.2_\[20140212-rel58039\]_up.bin
fe615d15be35aee34ee40b20d4701bf4 TL-R600VPNv2_en_1.2.2_[20140212-rel58039]_up.bin
aivar@suur:~/Projects/TP-LINK/TL-R600VPN$ md5sum r600vpnv2_en_1_2_1_up\(130831\).bin
1f0748bc183ae34d07985474192cc9e0 r600vpnv2_en_1_2_1_up(130831).bin
aivar@suur:~/Projects/TP-LINK/TL-R600VPN$ md5sum r600vpnv1_en_1_2_1_up\(130831\).bin
1f0748bc183ae34d07985474192cc9e0 r600vpnv1_en_1_2_1_up(130831).bin
aivar@suur:~/Projects/TP-LINK$