exploit the possibilities

TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference

TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference
Posted Apr 1, 2020
Authored by Pietro Oliva

TP-LINK cloud cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a remote null pointer dereference vulnerability.

tags | advisory, remote
advisories | CVE-2020-10231
MD5 | 8a66c2d03002019d01d83e427c1b0fb9

TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference

Change Mirror Download
Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference
Author: Pietro Oliva
CVE: CVE-2020-10231
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214,
NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205,
NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805,
NC450 <= 1.5.0 build 181022

Description:
The issue is located in the httpLoginRpm method of the ipcamera binary (handler
method for /login.fcgi), where after successful login, there is no check for
NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly
after that, there is a call to strstr(user_agent_string, "Firefox") and if a
User-Agent header is not specified by the client, httpGetEnv will return NULL,
and a NULL pointer dereference occurs when calling strstr, with consequent crash
of the ipcamera process.

Impact:
After the crash, the web interface on port 80 will not be available anymore.

Exploitation:
An attacker could exploit this issue by just sending a login request with valid
credentials (such as admin or limited user), but without an user-agent HTTP
header. Default credentials can be used to bypass the credentials requirement.

Evidence:
The disassembly of affected code from an NC200 camera is shown below:

0x0047dca0 lw a0, (user_arg)
0x0047dca4 lw a1, (password_arg)
0x0047dca8 lw t9, -sym.swUMMatchPassword(gp)
0x0047dcac nop
0x0047dcb0 jalr t9
0x0047dcb4 nop
0x0047dcb8 lw gp, (saved_gp)
0x0047dcbc sw v0, (auth_result)
0x0047dcc0 lw v0, (auth_result)
0x0047dcc4 nop
0x0047dcc8 bnez v0, 0x47de34
0x0047dccc nop
0x0047dcd0 sw zero, (arg_54h)
0x0047dcd4 lw a0, (environment)
0x0047dcd8 lw a1, -0x7fe4(gp)
0x0047dcdc nop
0x0047dce0 addiu a1, a1, -0x7cb0 ; "HTTP_USER_AGENT"
0x0047dce4 lw t9, -sym.httpGetEnv(gp)
0x0047dce8 nop
0x0047dcec jalr t9
0x0047dcf0 nop
0x0047dcf4 lw gp, (saved_gp)
0x0047dcf8 sw v0, (user_agent_ptr)
0x0047dcfc lw a0, (user_agent_ptr) ; <== This pointer could be NULL
0x0047dd00 lw a1, -0x7fe4(gp)
0x0047dd04 nop
0x0047dd08 addiu a1, a1, -0x7ca0 ; "Firefox"
0x0047dd0c lw t9, -sym.imp.strstr(gp)
0x0047dd10 nop
0x0047dd14 jalr t9


Disclosure timeline:

2nd December 2019 - Initial vulnerability report for NC200.

4th December 2019 - Vendor confirms vulnerablity but does not start fixing
due to the product being end-of-life.

4th December 2019 - Notified vendor the vulnerability details will be public
and it should be fixed.

6th December 2019 - Thanks for your opinion, we will discuss and write back
to you.

<silence>

7th February 2020 - Notified vendor issue exists on NC450 and possibly all
models in between. Fixed a disclosure deadline in 30 days.

8th February 2020 - Vendor: We will check but please be patient.

18th February 2020 - We failed to reproduce the issue with the provided PoC.

<trying to troubleshoot>

24th February 2020 - Reverse engineered all the firmware images on behalf of
the vendor and notified they were all vulnerable.

2nd March 2020 - Vendor asks to check fixes for NC200.

2nd March 2020 - Confirmed fix. Asked the vendor to do the same on all cameras.

3rd March 2020 - Vendor will check on other cameras, but will take some time.

3rd March 2020 - Asked the vendor to be quick.

9th March 2020 - Notified CVE identifier to vendor, gave extra week to patch.

9th March 2020 - Vendor is testing fix on all models.

13th March 2020 - Vendor asks to confirm fixes.

13th March 2020 - Confirmed fixes and asked the vendor to publish updates.
Disclosure delayed one week to give some time to patch if
the vendor published firmware updates.

29th March 2020 - No updates have been made public by the vendor. Releasing
details to the public after almost 4 months from initial
notification.


Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close