Vulnerability title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection Author: Pietro Oliva CVE: CVE-2020-12111 Vendor: TP-LINK Product: NC260, NC450 Affected version: NC260 <= 1.5.2 build 200304, NC450 <= 1.5.3 build 200304 Fixed version: NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401 Description: The issue is located in the httpSetEncryptKeyRpm method (handler for /setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled EncryptKey parameter is used directly as part of a command line to be executed as root without any input sanitization. Impact: Attackers could exploit this vulnerability to remotely execute commands as root on affected devices. Exploitation: An attacker would first need to authenticate to the web interface and make a POST request to /setEncryptKey.fcgi. Commands to be executed with root privileges can be injected in the EncryptKey parameter. Evidence: The disassembly of affected code from an NC450 camera is shown below: httpSetEncryptKeyRpm: 0x00491728 lw a0, -0x7fd4(gp) 0x0049172c nop 0x00491730 addiu a0, a0, 0x3344 ; "echo %s > %s/%08X" 0x00491734 lw a1, (EncryptKey_param) ; Attacker controlled string 0x00491738 lw a2, -0x7fd4(gp) 0x0049173c nop 0x00491740 addiu a2, a2, 0x3330 ; 0x583330 ; "/tmp/.encryptkey/" 0x00491744 lw a3, -0x7fe8(gp) 0x00491748 nop 0x0049174c addiu a3, a3, -0xf10 0x00491750 lw a3, (a3) 0x00491754 lw t9, -sym.cmCommand(gp) 0x00491758 nop 0x0049175c jalr t9 Remediation: Install firmware updates provided by the vendor to fix the vulnerability. The latest updates can be found at the following URLs: https://www.tp-link.com/en/support/download/nc200/#Firmware https://www.tp-link.com/en/support/download/nc210/#Firmware https://www.tp-link.com/en/support/download/nc220/#Firmware https://www.tp-link.com/en/support/download/nc230/#Firmware https://www.tp-link.com/en/support/download/nc250/#Firmware https://www.tp-link.com/en/support/download/nc260/#Firmware https://www.tp-link.com/en/support/download/nc450/#Firmware Disclosure timeline: 29th March 2020 - Vulnerability reported to vendor. 27th April 2020 - Patched firmware provided by vendor for verification. 27th April 2020 - Confirmed the vulnerability was fixed. 29th April 2020 - Firmware updates released to the public. 29th April 2020 - Vulnerability details are made public.