lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPk8Cmq2TE1XzgZEB7vdrb6vB_uMbDTYqjc-8VJZ5PORf4kP2g@mail.gmail.com>
Date: Wed, 29 Apr 2020 23:47:12 +0100
From: Pietro Oliva <pietroliva@...il.com>
To: fulldisclosure@...lists.org, bugtraq <bugtraq@...urityfocus.com>
Subject: [FD] TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection

Vulnerability title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection
Author: Pietro Oliva
CVE: CVE-2020-12111
Vendor: TP-LINK
Product: NC260, NC450
Affected version: NC260 <= 1.5.2 build 200304, NC450 <= 1.5.3 build 200304
Fixed version:    NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401

Description:
The issue is located in the httpSetEncryptKeyRpm method (handler for
/setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled
EncryptKey parameter is used directly as part of a command line to be executed
as root without any input sanitization.

Impact:
Attackers could exploit this vulnerability to remotely execute commands as root
on affected devices.

Exploitation:
An attacker would first need to authenticate to the web interface and make a
POST request to /setEncryptKey.fcgi. Commands to be executed with root
privileges can be injected in the EncryptKey parameter.

Evidence:
The disassembly of affected code from an NC450 camera is shown below:

httpSetEncryptKeyRpm:

0x00491728   lw a0, -0x7fd4(gp)
0x0049172c   nop
0x00491730   addiu a0, a0, 0x3344        ; "echo %s > %s/%08X"
0x00491734   lw a1, (EncryptKey_param)   ; Attacker controlled string
0x00491738   lw a2, -0x7fd4(gp)
0x0049173c   nop
0x00491740   addiu a2, a2, 0x3330        ; 0x583330 ; "/tmp/.encryptkey/"
0x00491744   lw a3, -0x7fe8(gp)
0x00491748   nop
0x0049174c   addiu a3, a3, -0xf10
0x00491750   lw a3, (a3)
0x00491754   lw t9, -sym.cmCommand(gp)
0x00491758   nop
0x0049175c   jalr t9

Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs:

https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware

Disclosure timeline:
29th March 2020 - Vulnerability reported to vendor.
27th April 2020 - Patched firmware provided by vendor for verification.
27th April 2020 - Confirmed the vulnerability was fixed.
29th April 2020 - Firmware updates released to the public.
29th April 2020 - Vulnerability details are made public.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ