TP-Link Cloud Cameras NCXXX Bonjour Command Injection
Description
TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.
Author(s)
- Pietro Oliva <pietroliva@gmail.com>
Platform
Linux
Architectures
mipsle
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection
msf exploit(tp_link_ncxxx_bonjour_command_injection) > show targets
...targets...
msf exploit(tp_link_ncxxx_bonjour_command_injection) > set TARGET < target-id >
msf exploit(tp_link_ncxxx_bonjour_command_injection) > show options
...show and set options...
msf exploit(tp_link_ncxxx_bonjour_command_injection) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security