TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection

Credit: Pietro Oliva
Risk: High
Local: No
Remote: Yes

CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Vulnerability title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection Author: Pietro Oliva CVE: CVE-2020-12111 Vendor: TP-LINK Product: NC260, NC450 Affected version: NC260 <= 1.5.2 build 200304, NC450 <= 1.5.3 build 200304 Fixed version: NC260 <= 1.5.3 build_200401, NC450 <= 1.5.4 build 200401 Description: The issue is located in the httpSetEncryptKeyRpm method (handler for /setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled EncryptKey parameter is used directly as part of a command line to be executed as root without any input sanitization. Impact: Attackers could exploit this vulnerability to remotely execute commands as root on affected devices. Exploitation: An attacker would first need to authenticate to the web interface and make a POST request to /setEncryptKey.fcgi. Commands to be executed with root privileges can be injected in the EncryptKey parameter. Evidence: The disassembly of affected code from an NC450 camera is shown below: httpSetEncryptKeyRpm: 0x00491728 lw a0, -0x7fd4(gp) 0x0049172c nop 0x00491730 addiu a0, a0, 0x3344 ; "echo %s > %s/%08X" 0x00491734 lw a1, (EncryptKey_param) ; Attacker controlled string 0x00491738 lw a2, -0x7fd4(gp) 0x0049173c nop 0x00491740 addiu a2, a2, 0x3330 ; 0x583330 ; "/tmp/.encryptkey/" 0x00491744 lw a3, -0x7fe8(gp) 0x00491748 nop 0x0049174c addiu a3, a3, -0xf10 0x00491750 lw a3, (a3) 0x00491754 lw t9, -sym.cmCommand(gp) 0x00491758 nop 0x0049175c jalr t9 Remediation: Install firmware updates provided by the vendor to fix the vulnerability. The latest updates can be found at the following URLs: Disclosure timeline: 29th March 2020 - Vulnerability reported to vendor. 27th April 2020 - Patched firmware provided by vendor for verification. 27th April 2020 - Confirmed the vulnerability was fixed. 29th April 2020 - Firmware updates released to the public. 29th April 2020 - Vulnerability details are made public.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top