Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection

Related Vulnerabilities: CVE-2020-12111  
Publish Date: 01 May 2020
Author: Pietro Oliva
Source 
                							

                Vulnerability title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection
Author: Pietro Oliva
CVE: CVE-2020-12111
Vendor: TP-LINK
Product: NC260, NC450
Affected version: NC260 <= 1.5.2 build 200304, NC450 <= 1.5.3 build 200304
Fixed version:    NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401

Description:
The issue is located in the httpSetEncryptKeyRpm method (handler for
/setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled
EncryptKey parameter is used directly as part of a command line to be executed
as root without any input sanitization.

Impact:
Attackers could exploit this vulnerability to remotely execute commands as root
on affected devices.

Exploitation:
An attacker would first need to authenticate to the web interface and make a
POST request to /setEncryptKey.fcgi. Commands to be executed with root
privileges can be injected in the EncryptKey parameter.

Evidence:
The disassembly of affected code from an NC450 camera is shown below:

httpSetEncryptKeyRpm:

0x00491728   lw a0, -0x7fd4(gp)
0x0049172c   nop
0x00491730   addiu a0, a0, 0x3344        ; "echo %s > %s/%08X"
0x00491734   lw a1, (EncryptKey_param)   ; Attacker controlled string
0x00491738   lw a2, -0x7fd4(gp)
0x0049173c   nop
0x00491740   addiu a2, a2, 0x3330        ; 0x583330 ; "/tmp/.encryptkey/"
0x00491744   lw a3, -0x7fe8(gp)
0x00491748   nop
0x0049174c   addiu a3, a3, -0xf10
0x00491750   lw a3, (a3)
0x00491754   lw t9, -sym.cmCommand(gp)
0x00491758   nop
0x0049175c   jalr t9

Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs:

https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware

Disclosure timeline:
29th March 2020 - Vulnerability reported to vendor.
27th April 2020 - Patched firmware provided by vendor for verification.
27th April 2020 - Confirmed the vulnerability was fixed.
29th April 2020 - Firmware updates released to the public.
29th April 2020 - Vulnerability details are made public.


<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started