Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference
Author: Pietro Oliva
CVE: CVE-2020-10231
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214,
                  NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205,
                  NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805,
                  NC450 <= 1.5.0 build 181022

The issue is located in the httpLoginRpm method of the ipcamera binary (handler
method for /login.fcgi), where after successful login, there is no check for
NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly
after that, there is a call to strstr(user_agent_string, "Firefox") and if a
User-Agent header is not specified by the client, httpGetEnv will return NULL,
and a NULL pointer dereference occurs when calling strstr, with consequent crash
of the ipcamera process.

After the crash, the web interface on port 80 will not be available anymore.

An attacker could exploit this issue by just sending a login request with valid
credentials (such as admin or limited user), but without an user-agent HTTP
header. Default credentials can be used to bypass the credentials requirement.

The disassembly of affected code from an NC200 camera is shown below:

0x0047dca0   lw a0, (user_arg)
0x0047dca4   lw a1, (password_arg)
0x0047dca8   lw t9, -sym.swUMMatchPassword(gp)
0x0047dcac   nop
0x0047dcb0   jalr t9
0x0047dcb4   nop
0x0047dcb8   lw gp, (saved_gp)
0x0047dcbc   sw v0, (auth_result)
0x0047dcc0   lw v0, (auth_result)
0x0047dcc4   nop
0x0047dcc8   bnez v0, 0x47de34
0x0047dccc   nop
0x0047dcd0   sw zero, (arg_54h)
0x0047dcd4   lw a0, (environment)
0x0047dcd8   lw a1, -0x7fe4(gp)
0x0047dcdc   nop
0x0047dce0   addiu a1, a1, -0x7cb0       ; "HTTP_USER_AGENT"
0x0047dce4   lw t9, -sym.httpGetEnv(gp)
0x0047dce8   nop
0x0047dcec   jalr t9
0x0047dcf0   nop
0x0047dcf4   lw gp, (saved_gp)
0x0047dcf8   sw v0, (user_agent_ptr)
0x0047dcfc   lw a0, (user_agent_ptr)     ; <== This pointer could be NULL
0x0047dd00   lw a1, -0x7fe4(gp)
0x0047dd04   nop
0x0047dd08   addiu a1, a1, -0x7ca0       ; "Firefox"
0x0047dd0c   lw t9, -sym.imp.strstr(gp)
0x0047dd10   nop
0x0047dd14   jalr t9

# [2020-04-02]  #