Exploit for TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection CVE-2020-12111

Name: Exploit for TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection CVE-2020-12111
Rating: 5 (102 reviews)
2020-05-01 | CVSS 9.0
## https://sploitus.com/exploit?id=PACKETSTORM:157533
Vulnerability title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection  
Author: Pietro Oliva  
CVE: CVE-2020-12111  
Vendor: TP-LINK  
Product: NC260, NC450  
Affected version: NC260 <= 1.5.2 build 200304, NC450 <= 1.5.3 build 200304  
Fixed version: NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401  
  
Description:  
The issue is located in the httpSetEncryptKeyRpm method (handler for  
/setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled  
EncryptKey parameter is used directly as part of a command line to be executed  
as root without any input sanitization.  
  
Impact:  
Attackers could exploit this vulnerability to remotely execute commands as root  
on affected devices.  
  
Exploitation:  
An attacker would first need to authenticate to the web interface and make a  
POST request to /setEncryptKey.fcgi. Commands to be executed with root  
privileges can be injected in the EncryptKey parameter.  
  
Evidence:  
The disassembly of affected code from an NC450 camera is shown below:  
  
httpSetEncryptKeyRpm:  
  
0x00491728 lw a0, -0x7fd4(gp)  
0x0049172c nop  
0x00491730 addiu a0, a0, 0x3344 ; "echo %s > %s/%08X"  
0x00491734 lw a1, (EncryptKey_param) ; Attacker controlled string  
0x00491738 lw a2, -0x7fd4(gp)  
0x0049173c nop  
0x00491740 addiu a2, a2, 0x3330 ; 0x583330 ; "/tmp/.encryptkey/"  
0x00491744 lw a3, -0x7fe8(gp)  
0x00491748 nop  
0x0049174c addiu a3, a3, -0xf10  
0x00491750 lw a3, (a3)  
0x00491754 lw t9, -sym.cmCommand(gp)  
0x00491758 nop  
0x0049175c jalr t9  
  
Remediation:  
Install firmware updates provided by the vendor to fix the vulnerability.  
The latest updates can be found at the following URLs:  
  
https://www.tp-link.com/en/support/download/nc200/#Firmware  
https://www.tp-link.com/en/support/download/nc210/#Firmware  
https://www.tp-link.com/en/support/download/nc220/#Firmware  
https://www.tp-link.com/en/support/download/nc230/#Firmware  
https://www.tp-link.com/en/support/download/nc250/#Firmware  
https://www.tp-link.com/en/support/download/nc260/#Firmware  
https://www.tp-link.com/en/support/download/nc450/#Firmware  
  
Disclosure timeline:  
29th March 2020 - Vulnerability reported to vendor.  
27th April 2020 - Patched firmware provided by vendor for verification.  
27th April 2020 - Confirmed the vulnerability was fixed.  
29th April 2020 - Firmware updates released to the public.  
29th April 2020 - Vulnerability details are made public.