The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
High
AC
The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key
Vulnerability title: TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key
Author: Pietro Oliva
CVE: CVE-2020-12110
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.9 build 200225, NC210 <= 1.0.9 build 200304,
NC220 <= 1.3.0 build 200304, NC230 <= 1.3.0 build 200304,
NC250 <= 1.3.0 build 200304, NC260 <= 1.5.2 build 200304,
NC450 <= 1.5.3 build 200304.
Fixed version: NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401,
NC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401,
NC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401,
NC450 <= 1.5.4 build 200401
Description:
The issue is located in the methods swSystemBackup and sym.swSystemRestoreFile,
where a hardcoded encryption key is used in order to encrypt/decrypt a config
backup file. The algorithm in use is DES ECB with modified s-boxes and
permutation tables.
Impact:
Attackers could exploit this vulnerability to decrypt backup files and get
access to sensitive data, such as the following:
-Alarm FTP server user and password
-Wlan passphrase
-PPPOE user and password
-Alarm SMTP server user and password
-DDNS user and password
In addition to that, attackers could forge an encrypted backup file that can
be restored via the web interface. This allowed arbitrary files to be written or
overwritten with arbitrary attacker-controlled contents. Needless to say, this
could result in permanent damage or code execution as root.
Exploitation:
An attacker would have to figure out the modified DES algorithm in order to be
able to encrypt/decrypt config backup files. This is not hard to do with some
google search. Once that has been done, attackers can either decrypt backup
files or create their own with custom contents, effectlively writing arbitrary
files on the device.
Evidence:
The disassembly of affected code from an NC200 camera is shown below:
swSystemRestoreFile:
0x004a0f88 lui gp, 0xa
0x004a0f8c addiu gp, gp, -0x5c78
0x004a0f90 addu gp, gp, t9
0x004a0f94 addiu sp, sp, -0x4f8
0x004a0f98 sw ra, (var_4f4h)
0x004a0f9c sw fp, (var_4f0h)
0x004a0fa0 move fp, sp
0x004a0fa4 sw gp, (var_18h)
0x004a0fa8 sw a0, (encrypted_filename_ptr)
0x004a0fac lw v0, -0x7fe4(gp)
0x004a0fb0 nop
0x004a0fb4 addiu v0, v0, -0x4c40 ; "/tmp/plainBackup"
0x004a0fb8 nop
0x004a0fbc sw v0, (decrypted_filename_ptr)
0x004a0fc0 lw a0, (encrypted_filename_ptr)
0x004a0fc4 lw a1, -0x7fe4(gp)
0x004a0fc8 nop
0x004a0fcc addiu a1, a1, -0x4c2c ; "tp-link"
0x004a0fd0 lw a2, (decrypted_filename_ptr)
0x004a0fd4 lw t9, -sym.DES_Decrypt(gp)
0x004a0fd8 nop
0x004a0fdc jalr t9
swSystemBackup:
0x004a1c54 lw a0, -0x7fe4(gp)
0x004a1c58 nop
0x004a1c5c addiu a0, a0, -0x4bbc ; "/usr/local/config/ipcamera/pBackup"
0x004a1c60 lw a1, -0x7fe4(gp)
0x004a1c64 nop
0x004a1c68 addiu a1, a1, -0x4c2c ; "tp-link"
0x004a1c6c lw a2, -0x7fe4(gp)
0x004a1c70 nop
0x004a1c74 addiu a2, a2, -0x4b84 ; "/usr/local/config/ipcamera/eBackup"
0x004a1c78 lw t9, -sym.DES_Encrypt(gp)
0x004a1c7c nop
0x004a1c80 jalr t9
Mitigating factors:
-Almost every camera model has a different hardcoded key. However, this is not
hard to find and all cameras of the same model share the same encryption key
which cannot be changed.
Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs:
https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware
Disclosure timeline:
29th March 2020 - Vulnerability reported to vendor.
10th April 2020 - Patched firmware provided by vendor for verification.
10th April 2020 - Confirmed the vulnerability was fixed.
29th April 2020 - Firmware updates released to the public.
29th April 2020 - Vulnerability details are made public.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum