The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection
Vulnerability title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection
Author: Pietro Oliva
CVE: CVE-2020-12111
Vendor: TP-LINK
Product: NC260, NC450
Affected version: NC260 <= 1.5.2 build 200304, NC450 <= 1.5.3 build 200304
Fixed version: NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401
Description:
The issue is located in the httpSetEncryptKeyRpm method (handler for
/setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled
EncryptKey parameter is used directly as part of a command line to be executed
as root without any input sanitization.
Impact:
Attackers could exploit this vulnerability to remotely execute commands as root
on affected devices.
Exploitation:
An attacker would first need to authenticate to the web interface and make a
POST request to /setEncryptKey.fcgi. Commands to be executed with root
privileges can be injected in the EncryptKey parameter.
Evidence:
The disassembly of affected code from an NC450 camera is shown below:
httpSetEncryptKeyRpm:
0x00491728 lw a0, -0x7fd4(gp)
0x0049172c nop
0x00491730 addiu a0, a0, 0x3344 ; "echo %s > %s/%08X"
0x00491734 lw a1, (EncryptKey_param) ; Attacker controlled string
0x00491738 lw a2, -0x7fd4(gp)
0x0049173c nop
0x00491740 addiu a2, a2, 0x3330 ; 0x583330 ; "/tmp/.encryptkey/"
0x00491744 lw a3, -0x7fe8(gp)
0x00491748 nop
0x0049174c addiu a3, a3, -0xf10
0x00491750 lw a3, (a3)
0x00491754 lw t9, -sym.cmCommand(gp)
0x00491758 nop
0x0049175c jalr t9
Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs:
https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware
Disclosure timeline:
29th March 2020 - Vulnerability reported to vendor.
27th April 2020 - Patched firmware provided by vendor for verification.
27th April 2020 - Confirmed the vulnerability was fixed.
29th April 2020 - Firmware updates released to the public.
29th April 2020 - Vulnerability details are made public.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum