Vulnerability title: TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key
Author: Pietro Oliva
CVE: CVE-2020-12110
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.9 build 200225, NC210 <= 1.0.9 build 200304,
                  NC220 <= 1.3.0 build 200304, NC230 <= 1.3.0 build 200304,
                  NC250 <= 1.3.0 build 200304, NC260 <= 1.5.2 build 200304,
                  NC450 <= 1.5.3 build 200304.

Fixed version:    NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401,
                  NC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401,
                  NC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401,
                  NC450 <= 1.5.4 build 200401


Description:
The issue is located in the methods swSystemBackup and sym.swSystemRestoreFile,
where a hardcoded encryption key is used in order to encrypt/decrypt a config
backup file. The algorithm in use is DES ECB with modified s-boxes and
permutation tables.

Impact:
Attackers could exploit this vulnerability to decrypt backup files and get
access to sensitive data, such as the following:
-Alarm FTP server user and password
-Wlan passphrase
-PPPOE user and password
-Alarm SMTP server user and password
-DDNS user and password

In addition to that, attackers could forge an encrypted backup file that can
be restored via the web interface. This allowed arbitrary files to be written or
overwritten with arbitrary attacker-controlled contents. Needless to say, this
could result in permanent damage or code execution as root.

Exploitation:
An attacker would have to figure out the modified DES algorithm in order to be
able to encrypt/decrypt config backup files. This is not hard to do with some
google search. Once that has been done, attackers can either decrypt backup
files or create their own with custom contents, effectlively writing arbitrary
files on the device.


Evidence:
The disassembly of affected code from an NC200 camera is shown below:

swSystemRestoreFile:

0x004a0f88   lui gp, 0xa
0x004a0f8c   addiu gp, gp, -0x5c78
0x004a0f90   addu gp, gp, t9
0x004a0f94   addiu sp, sp, -0x4f8
0x004a0f98   sw ra, (var_4f4h)
0x004a0f9c   sw fp, (var_4f0h)
0x004a0fa0   move fp, sp
0x004a0fa4   sw gp, (var_18h)
0x004a0fa8   sw a0, (encrypted_filename_ptr)
0x004a0fac   lw v0, -0x7fe4(gp)
0x004a0fb0   nop
0x004a0fb4   addiu v0, v0, -0x4c40       ; "/tmp/plainBackup"
0x004a0fb8   nop
0x004a0fbc   sw v0, (decrypted_filename_ptr)
0x004a0fc0   lw a0, (encrypted_filename_ptr)
0x004a0fc4   lw a1, -0x7fe4(gp)
0x004a0fc8   nop
0x004a0fcc   addiu a1, a1, -0x4c2c       ; "tp-link"
0x004a0fd0   lw a2, (decrypted_filename_ptr)
0x004a0fd4   lw t9, -sym.DES_Decrypt(gp)
0x004a0fd8   nop
0x004a0fdc   jalr t9

swSystemBackup:

0x004a1c54   lw a0, -0x7fe4(gp)
0x004a1c58   nop
0x004a1c5c   addiu a0, a0, -0x4bbc       ; "/usr/local/config/ipcamera/pBackup"
0x004a1c60   lw a1, -0x7fe4(gp)
0x004a1c64   nop
0x004a1c68   addiu a1, a1, -0x4c2c       ; "tp-link"
0x004a1c6c   lw a2, -0x7fe4(gp)
0x004a1c70   nop
0x004a1c74   addiu a2, a2, -0x4b84       ; "/usr/local/config/ipcamera/eBackup"
0x004a1c78   lw t9, -sym.DES_Encrypt(gp)
0x004a1c7c   nop
0x004a1c80   jalr t9

Mitigating factors:
-Almost every camera model has a different hardcoded key. However, this is not
hard to find and all cameras of the same model share the same encryption key
which cannot be changed.

Remediation:
Install firmware updates provided by the vendor to fix the vulnerability.
The latest updates can be found at the following URLs:

https://www.tp-link.com/en/support/download/nc200/#Firmware
https://www.tp-link.com/en/support/download/nc210/#Firmware
https://www.tp-link.com/en/support/download/nc220/#Firmware
https://www.tp-link.com/en/support/download/nc230/#Firmware
https://www.tp-link.com/en/support/download/nc250/#Firmware
https://www.tp-link.com/en/support/download/nc260/#Firmware
https://www.tp-link.com/en/support/download/nc450/#Firmware

Disclosure timeline:
29th March 2020 - Vulnerability reported to vendor.
10th April 2020 - Patched firmware provided by vendor for verification.
10th April 2020 - Confirmed the vulnerability was fixed.
29th April 2020 - Firmware updates released to the public.
29th April 2020 - Vulnerability details are made public.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to