Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28478: Vulnerability-Disclosures/MNDT-2023-0006.md at master · mandiant/Vulnerability-Disclosures

TP-Link EC-70 devices through 2.3.4 Build 20220902 rel.69498 have a Buffer Overflow.

CVE
Open in Source
#vulnerability#mac#google#js#buffer_overflow#auth

MNDT-2023-0006****Description

A Stack-based Buffer Overflow exists in TP-Link’s Kasa EC70 Security Camera handling of authenication credentials.

Impact

High - Exploiting the vulnerability will give a network connected attacker a root shell on the device.

Exploitability

High - Requires access to the same network, but otherwise an user can exploit the vulnerability and an exploit is simple to produce.

CVE Reference

CVE-2023-28478

Common Vulnerability Scoring System

Base Score: 8.8 - Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Technical Details

The TP-Link EC-70 (Kasa Spot Pan Tilt) wireless security camera contains an exploitable stack-based buffer overflow in the Authentication header of multiple services, allowing an unauthenticated attacker on the same network to execute arbitrary code as the ‘root’ user on the device. Specifically, the tpsocket_base64_decode() function does not perform any bounds checking while decoding the supplied password value into a fixed length buffer stored on the stack in the authentication callback function for the media-serviced (tcp/19443), ulinkied (tcp/10443), speaker (tcp/18443), and storaged (tcp/17443) services.

In order to reach the vulnerable code, an attacker needs to know the username associated with the device. This information can be obtained by requesting smartlife.cam.ipcamera.cloud get_info method in a UDP packet to port 9999. The returned encoded json contains the username as one of the fields. Encoding and decoding the blobs is trivial, as the TP-Link Smart Home Protocol has been documented.

The Authentication header data is base64 decoded, and if the content before the first ‘:’ character doesn’t match the username, the authentication callback returns failure immediately. Otherwise an MD5 hash of the data following the first ‘:’ character is checked against the MD5 of the current password. If this does match, then the callback returns success, otherwise the password data is base64 decoded again, and this value is hashed and checked against the current password, this time into a 128-byte long stack-based buffer. The tpsocket_base64_decode() function does not have a parameter for the maximum output length, and is often used in the code to decode "in place", overwriting the original buffer. When used with a fixed length buffer to decode untrusted input, an exploitable buffer overflow can occur.

Resolution

The issue is fixed in version 2.3.20 Build 20230424 rel.58785, which can be installed by upgrading the firmware on the device (if it has not already automatically updated).

Discovery Credits

  • Greg MacManus, Google Cloud + Mandiant, FLARE OTF

Disclosure Timeline

  • 16-Mat-2023 - Issue reported to TP-Link
  • 19-Mar-2023 - Patched version provided for testing
  • 25-Apr-2023 - Requested update on status.
  • 26-Apr-2023 - Early May release date estimated.
  • 6-Jun-2023 - Requested update on status.
  • 8-Jun-2023 - TP-Link reports fixed version has been released.

References

  • Mitre CVE-2023-28478

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE