lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPk8Cmq6sfVgjQU9sxcbRF+RfLnB4hX8He39kOJeRt3bVU1ViQ@mail.gmail.com> Date: Thu, 9 Apr 2020 17:32:14 +0100 From: Pietro Oliva <pietroliva@...il.com> To: fulldisclosure@...lists.org Subject: Re: [FD] TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference [UPDATE 08/04/2020] - The vendor has published firmware updates to fix the issue. Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference Author: Pietro Oliva CVE: CVE-2020-10231 Vendor: TP-LINK Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450 Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214, NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205, NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805, NC450 <= 1.5.0 build 181022 Fixed in version: NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, NC450 1.5.3 build 200304 Description: The issue is located in the httpLoginRpm method of the ipcamera binary (handler method for /login.fcgi), where after successful login, there is no check for NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly after that, there is a call to strstr(user_agent_string, "Firefox") and if a User-Agent header is not specified by the client, httpGetEnv will return NULL, and a NULL pointer dereference occurs when calling strstr, with consequent crash of the ipcamera process. Impact: After the crash, the web interface on port 80 will not be available anymore. Exploitation: An attacker could exploit this issue by just sending a login request with valid credentials (such as admin or limited user), but without an user-agent HTTP header. Default credentials can be used to bypass the credentials requirement. Evidence: The disassembly of affected code from an NC200 camera is shown below: 0x0047dca0 lw a0, (user_arg) 0x0047dca4 lw a1, (password_arg) 0x0047dca8 lw t9, -sym.swUMMatchPassword(gp) 0x0047dcac nop 0x0047dcb0 jalr t9 0x0047dcb4 nop 0x0047dcb8 lw gp, (saved_gp) 0x0047dcbc sw v0, (auth_result) 0x0047dcc0 lw v0, (auth_result) 0x0047dcc4 nop 0x0047dcc8 bnez v0, 0x47de34 0x0047dccc nop 0x0047dcd0 sw zero, (arg_54h) 0x0047dcd4 lw a0, (environment) 0x0047dcd8 lw a1, -0x7fe4(gp) 0x0047dcdc nop 0x0047dce0 addiu a1, a1, -0x7cb0 ; "HTTP_USER_AGENT" 0x0047dce4 lw t9, -sym.httpGetEnv(gp) 0x0047dce8 nop 0x0047dcec jalr t9 0x0047dcf0 nop 0x0047dcf4 lw gp, (saved_gp) 0x0047dcf8 sw v0, (user_agent_ptr) 0x0047dcfc lw a0, (user_agent_ptr) ; <== This pointer could be NULL 0x0047dd00 lw a1, -0x7fe4(gp) 0x0047dd04 nop 0x0047dd08 addiu a1, a1, -0x7ca0 ; "Firefox" 0x0047dd0c lw t9, -sym.imp.strstr(gp) 0x0047dd10 nop 0x0047dd14 jalr t9 Remediation: Install firmware updates provided by the vendor to fix the vulnerability. The latest updates can be found at the following URLs: https://www.tp-link.com/en/support/download/nc200/#Firmware https://www.tp-link.com/en/support/download/nc210/#Firmware https://www.tp-link.com/en/support/download/nc220/#Firmware https://www.tp-link.com/en/support/download/nc230/#Firmware https://www.tp-link.com/en/support/download/nc250/#Firmware https://www.tp-link.com/en/support/download/nc260/#Firmware https://www.tp-link.com/en/support/download/nc450/#Firmware Disclosure timeline: 2nd December 2019 - Initial vulnerability report for NC200. 4th December 2019 - Vendor confirms vulnerablity but does not start fixing due to the product being end-of-life. 4th December 2019 - Notified vendor the vulnerability details will be public and it should be fixed. 6th December 2019 - Thanks for your opinion, we will discuss and write back to you. <silence> 7th February 2020 - Notified vendor issue exists on NC450 and possibly all models in between. Fixed a disclosure deadline in 30 days. 8th February 2020 - Vendor: We will check but please be patient. 18th February 2020 - We failed to reproduce the issue with the provided PoC. <trying to troubleshoot> 24th February 2020 - Reverse engineered all the firmware images on behalf of the vendor and notified they were all vulnerable. 2nd March 2020 - Vendor asks to check fixes for NC200. 2nd March 2020 - Confirmed fix. Asked the vendor to do the same on all cameras. 3rd March 2020 - Vendor will check on other cameras, but will take some time. 3rd March 2020 - Asked the vendor to be quick. 9th March 2020 - Notified CVE identifier to vendor, gave extra week to patch. 9th March 2020 - Vendor is testing fix on all models. 13th March 2020 - Vendor asks to confirm fixes. 13th March 2020 - Confirmed fixes and asked the vendor to publish updates. Disclosure delayed one week to give some time to patch if the vendor published firmware updates. 29th March 2020 - No updates have been made public by the vendor. Releasing details to the public after almost 4 months from initial notification. 08 April 2020 - Firmware updates fixing the vulnerability released by the vendor. 09 April 2020 - Updated this vulnerability disclosure with fix information. Il giorno dom 29 mar 2020 alle ore 20:47 Pietro Oliva <pietroliva@...il.com> ha scritto: > > Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference > Author: Pietro Oliva > CVE: CVE-2020-10231 > Vendor: TP-LINK > Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450 > Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214, > NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205, > NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805, > NC450 <= 1.5.0 build 181022 > > Description: > The issue is located in the httpLoginRpm method of the ipcamera binary (handler > method for /login.fcgi), where after successful login, there is no check for > NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly > after that, there is a call to strstr(user_agent_string, "Firefox") and if a > User-Agent header is not specified by the client, httpGetEnv will return NULL, > and a NULL pointer dereference occurs when calling strstr, with consequent crash > of the ipcamera process. > > Impact: > After the crash, the web interface on port 80 will not be available anymore. > > Exploitation: > An attacker could exploit this issue by just sending a login request with valid > credentials (such as admin or limited user), but without an user-agent HTTP > header. Default credentials can be used to bypass the credentials requirement. > > Evidence: > The disassembly of affected code from an NC200 camera is shown below: > > 0x0047dca0 lw a0, (user_arg) > 0x0047dca4 lw a1, (password_arg) > 0x0047dca8 lw t9, -sym.swUMMatchPassword(gp) > 0x0047dcac nop > 0x0047dcb0 jalr t9 > 0x0047dcb4 nop > 0x0047dcb8 lw gp, (saved_gp) > 0x0047dcbc sw v0, (auth_result) > 0x0047dcc0 lw v0, (auth_result) > 0x0047dcc4 nop > 0x0047dcc8 bnez v0, 0x47de34 > 0x0047dccc nop > 0x0047dcd0 sw zero, (arg_54h) > 0x0047dcd4 lw a0, (environment) > 0x0047dcd8 lw a1, -0x7fe4(gp) > 0x0047dcdc nop > 0x0047dce0 addiu a1, a1, -0x7cb0 ; "HTTP_USER_AGENT" > 0x0047dce4 lw t9, -sym.httpGetEnv(gp) > 0x0047dce8 nop > 0x0047dcec jalr t9 > 0x0047dcf0 nop > 0x0047dcf4 lw gp, (saved_gp) > 0x0047dcf8 sw v0, (user_agent_ptr) > 0x0047dcfc lw a0, (user_agent_ptr) ; <== This pointer could be NULL > 0x0047dd00 lw a1, -0x7fe4(gp) > 0x0047dd04 nop > 0x0047dd08 addiu a1, a1, -0x7ca0 ; "Firefox" > 0x0047dd0c lw t9, -sym.imp.strstr(gp) > 0x0047dd10 nop > 0x0047dd14 jalr t9 > > > Disclosure timeline: > > 2nd December 2019 - Initial vulnerability report for NC200. > > 4th December 2019 - Vendor confirms vulnerablity but does not start fixing > due to the product being end-of-life. > > 4th December 2019 - Notified vendor the vulnerability details will be public > and it should be fixed. > > 6th December 2019 - Thanks for your opinion, we will discuss and write back > to you. > > <silence> > > 7th February 2020 - Notified vendor issue exists on NC450 and possibly all > models in between. Fixed a disclosure deadline in 30 days. > > 8th February 2020 - Vendor: We will check but please be patient. > > 18th February 2020 - We failed to reproduce the issue with the provided PoC. > > <trying to troubleshoot> > > 24th February 2020 - Reverse engineered all the firmware images on behalf of > the vendor and notified they were all vulnerable. > > 2nd March 2020 - Vendor asks to check fixes for NC200. > > 2nd March 2020 - Confirmed fix. Asked the vendor to do the same on all cameras. > > 3rd March 2020 - Vendor will check on other cameras, but will take some time. > > 3rd March 2020 - Asked the vendor to be quick. > > 9th March 2020 - Notified CVE identifier to vendor, gave extra week to patch. > > 9th March 2020 - Vendor is testing fix on all models. > > 13th March 2020 - Vendor asks to confirm fixes. > > 13th March 2020 - Confirmed fixes and asked the vendor to publish updates. > Disclosure delayed one week to give some time to patch if > the vendor published firmware updates. > > 29th March 2020 - No updates have been made public by the vendor. Releasing > details to the public after almost 4 months from initial > notification. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists