module
TP-Link Cloud Cameras NCXXX Bonjour Command Injection
| Disclosed |
|---|
| Apr 29, 2020 |
Disclosed
Apr 29, 2020
Description
TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230,
NC250, NC260, NC450) are vulnerable to an authenticated command
injection. In all devices except NC210, despite a check on the name length in
swSystemSetProductAliasCheck, no other checks are in place in order
to prevent shell metacharacters from being introduced. The system name
would then be used in swBonjourStartHTTP as part of a shell command
where arbitrary commands could be injected and executed as root. NC210 devices
cannot be exploited directly via /setsysname.cgi due to proper input
validation. NC210 devices are still vulnerable since swBonjourStartHTTP
did not perform any validation when reading the alias name from the
configuration file. The configuration file can be written, and code
execution can be achieved by combining this issue with CVE-2020-12110.
NC250, NC260, NC450) are vulnerable to an authenticated command
injection. In all devices except NC210, despite a check on the name length in
swSystemSetProductAliasCheck, no other checks are in place in order
to prevent shell metacharacters from being introduced. The system name
would then be used in swBonjourStartHTTP as part of a shell command
where arbitrary commands could be injected and executed as root. NC210 devices
cannot be exploited directly via /setsysname.cgi due to proper input
validation. NC210 devices are still vulnerable since swBonjourStartHTTP
did not perform any validation when reading the alias name from the
configuration file. The configuration file can be written, and code
execution can be achieved by combining this issue with CVE-2020-12110.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.