module

TP-Link Cloud Cameras NCXXX Bonjour Command Injection

Try Surface Command
Back to search
Disclosed
2020-04-29
Created
2020-09-18

Description

TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230,
NC250, NC260, NC450) are vulnerable to an authenticated command
injection. In all devices except NC210, despite a check on the name length in
swSystemSetProductAliasCheck, no other checks are in place in order
to prevent shell metacharacters from being introduced. The system name
would then be used in swBonjourStartHTTP as part of a shell command
where arbitrary commands could be injected and executed as root. NC210 devices
cannot be exploited directly via /setsysname.cgi due to proper input
validation. NC210 devices are still vulnerable since swBonjourStartHTTP
did not perform any validation when reading the alias name from the
configuration file. The configuration file can be written, and code
execution can be achieved by combining this issue with CVE-2020-12110.

Author

Pietro Oliva pietroliva@gmail.com

Platform

Linux

Architectures

mipsle

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection
    msf exploit(tp_link_ncxxx_bonjour_command_injection) > show targets
        ...targets...
    msf exploit(tp_link_ncxxx_bonjour_command_injection) > set TARGET < target-id >
    msf exploit(tp_link_ncxxx_bonjour_command_injection) > show options
        ...show and set options...
    msf exploit(tp_link_ncxxx_bonjour_command_injection) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today