Vulnerability title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection  
Author: Pietro Oliva  
CVE: CVE-2020-12111  
Vendor: TP-LINK  
Product: NC260, NC450  
Affected version: NC260 <= 1.5.2 build 200304, NC450 <= 1.5.3 build 200304  
Fixed version: NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401  
The issue is located in the httpSetEncryptKeyRpm method (handler for  
/setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled  
EncryptKey parameter is used directly as part of a command line to be executed  
as root without any input sanitization.  
Attackers could exploit this vulnerability to remotely execute commands as root  
on affected devices.  
An attacker would first need to authenticate to the web interface and make a  
POST request to /setEncryptKey.fcgi. Commands to be executed with root  
privileges can be injected in the EncryptKey parameter.  
The disassembly of affected code from an NC450 camera is shown below:  
0x00491728 lw a0, -0x7fd4(gp)  
0x0049172c nop  
0x00491730 addiu a0, a0, 0x3344 ; "echo %s > %s/%08X"  
0x00491734 lw a1, (EncryptKey_param) ; Attacker controlled string  
0x00491738 lw a2, -0x7fd4(gp)  
0x0049173c nop  
0x00491740 addiu a2, a2, 0x3330 ; 0x583330 ; "/tmp/.encryptkey/"  
0x00491744 lw a3, -0x7fe8(gp)  
0x00491748 nop  
0x0049174c addiu a3, a3, -0xf10  
0x00491750 lw a3, (a3)  
0x00491754 lw t9, -sym.cmCommand(gp)  
0x00491758 nop  
0x0049175c jalr t9  
Install firmware updates provided by the vendor to fix the vulnerability.  
The latest updates can be found at the following URLs:  
Disclosure timeline:  
29th March 2020 - Vulnerability reported to vendor.  
27th April 2020 - Patched firmware provided by vendor for verification.  
27th April 2020 - Confirmed the vulnerability was fixed.  
29th April 2020 - Firmware updates released to the public.  
29th April 2020 - Vulnerability details are made public.