Rapid7 Vulnerability & Exploit Database

TP-Link Cloud Cameras NCXXX Bonjour Command Injection

Back to Search

TP-Link Cloud Cameras NCXXX Bonjour Command Injection



TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.


  • Pietro Oliva <pietroliva@gmail.com>






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection
msf exploit(tp_link_ncxxx_bonjour_command_injection) > show targets
msf exploit(tp_link_ncxxx_bonjour_command_injection) > set TARGET < target-id >
msf exploit(tp_link_ncxxx_bonjour_command_injection) > show options
    ...show and set options...
msf exploit(tp_link_ncxxx_bonjour_command_injection) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security