Exploit for TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference Vulnerability CVE-2020-10231

Name: Exploit for TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference Vulnerability CVE-2020-10231
Rating: 5 (180 reviews)
2020-04-01 | CVSS 5.0
## https://sploitus.com/exploit?id=1337DAY-ID-34178
Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference
Author: Pietro Oliva
CVE: CVE-2020-10231
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214,
                  NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205,
                  NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805,
                  NC450 <= 1.5.0 build 181022

Description:
The issue is located in the httpLoginRpm method of the ipcamera binary (handler
method for /login.fcgi), where after successful login, there is no check for
NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly
after that, there is a call to strstr(user_agent_string, "Firefox") and if a
User-Agent header is not specified by the client, httpGetEnv will return NULL,
and a NULL pointer dereference occurs when calling strstr, with consequent crash
of the ipcamera process.

Impact:
After the crash, the web interface on port 80 will not be available anymore.

Exploitation:
An attacker could exploit this issue by just sending a login request with valid
credentials (such as admin or limited user), but without an user-agent HTTP
header. Default credentials can be used to bypass the credentials requirement.

Evidence:
The disassembly of affected code from an NC200 camera is shown below:

0x0047dca0   lw a0, (user_arg)
0x0047dca4   lw a1, (password_arg)
0x0047dca8   lw t9, -sym.swUMMatchPassword(gp)
0x0047dcac   nop
0x0047dcb0   jalr t9
0x0047dcb4   nop
0x0047dcb8   lw gp, (saved_gp)
0x0047dcbc   sw v0, (auth_result)
0x0047dcc0   lw v0, (auth_result)
0x0047dcc4   nop
0x0047dcc8   bnez v0, 0x47de34
0x0047dccc   nop
0x0047dcd0   sw zero, (arg_54h)
0x0047dcd4   lw a0, (environment)
0x0047dcd8   lw a1, -0x7fe4(gp)
0x0047dcdc   nop
0x0047dce0   addiu a1, a1, -0x7cb0       ; "HTTP_USER_AGENT"
0x0047dce4   lw t9, -sym.httpGetEnv(gp)
0x0047dce8   nop
0x0047dcec   jalr t9
0x0047dcf0   nop
0x0047dcf4   lw gp, (saved_gp)
0x0047dcf8   sw v0, (user_agent_ptr)
0x0047dcfc   lw a0, (user_agent_ptr)     ; <== This pointer could be NULL
0x0047dd00   lw a1, -0x7fe4(gp)
0x0047dd04   nop
0x0047dd08   addiu a1, a1, -0x7ca0       ; "Firefox"
0x0047dd0c   lw t9, -sym.imp.strstr(gp)
0x0047dd10   nop
0x0047dd14   jalr t9