Closed hacefresko closed 2 years ago
It's because all of the stuff is handled right inside uhttpd binary, it's not using lua scripts at all. I think the uci entries you see are just leftovers of openwrt projects they used in other of their products. TP-link really love to use openwrt in their recent products.
Edit:
I revisited uhttpd after seeing this issue, and found this piece of gem....
It's in a function called upload_conf
so it may be useful or may not, I didn't really paid much attention to uhttpd before when we were doing the research🤔
So I see the way to go here is jumping into Ghidra and reverse the uhttpd binary, right? Although I have some experience with C programming, I'm new to Ghidra and I'm having issues with the language of the processor. The most reasonable decompilation I have achieved was with MIPS32, little endian, with mips16e, but there were some incorrect function calls (different number of parameters, non-sense returning values, etc.). Which is the language needed for this processor? Thanks so much
@hacefresko I'm using the same language as yours. Ghidra is never known to have great decompiler, and people even speculate that NSA open sourced it because they can't improve it anymore and need community's help :p So do expect to see a lot of "weird" stuff in the decompiled code. Especially for a stripped binary like the uhttpd in our case.
The best approach is to try to grasp the basic logic of the program via decompiled code and if possible, do dynamic tests on the running device to prove your understanding.
Also, I might need to remind you that AFAIK, the most important interface for this cam is /bin/cet
running on port 8800. Most of the APIs used by its mobile app communicates over port 8800.
Thank you very much. I have managed to get the login logic and some other interesting things such as the factory status password. I'm starting to get comfortable with Ghidra, which is great. I'll share any other interesting thing I find :D
Edit: I have continued doing some research and found some things that, in the end, I couldn't exploit but I will share anyway:
First, of all, I found what seems the default password for the factory status, although it may have some encryption layers:
It probably has to do something with this:
root@SLP:~# uci show | grep user
OSD_capability.font_info.color_type=auto user_defined
cloud_config.bind.username=hqMcgS4U/bkcM8QZQHT34NGANTSXH7XUV4OlbQeto5s=
function.module_spec.multi_user=0
luci.flash_keep.firewall=/etc/firewall/firewall.user
user_management.root=root
user_management.root.username=admin
user_management.root.passwd=874AAEB45AF77D9E0E0A17619C640F60
user_management.root.ciphertext=CHQTKowKXiEs2HKDRLmvbnFfGik/32xUU/a1LQjOV/cWvTStuHKtEqotDDg3KmvxF4rXeb4tibsyPfAR/2WRibpBm7g8QJjmewkljbMFFJ16B+7o88593eRmqkmgY0+EElGrsWBZoKLWfypF2Cyc8SIOFRVjZ76McS/LPqwn5So=
user_management.root.sharepwd=1604d5590be8e9336f73d641f6da0485
user_management.third_account=third_account
user_management.third_account.username=---
user_management.third_account.passwd=---
user_management.third_account.ciphertext=dl5GoIRk+FMC/JgP5yLjA+r8PynYYSai8DSmdv1Xw7iALNEKxkE5UusQw6BMC4+FlcWv0bCPuw8DSlSk/vkmcTZ/BF/ZY1ENNJqo+uJtiGi2f1zJFjleYhPlDx4YXa3qp7oSNF8EU1BU4mOY9nEtUakFl4oVPsvlLGM3qE/zI2k=
user_management.authentication=authentication
user_management.authentication.basic_enabled=0
But the only thing I found is that the passwd field is the md5 hash for the password.
Then, I found a function exec_and_read_json() used to execute commands in terminal and read the output as JSON. This function is vulnerable to command injection:
exec_and_read_json() is used in two other functions:
However, although they are used in uh_slp_proto_request(), which looks like one of the main functions, they are called once the request has authenticated, so the input parameters to inject code are not reachable to a non authenticated user :(
Anyway, it was fun to finally have a look into reversing.
Hey! Just wanted to share that I ended up finding a critical vulnerability in uhttpd. This is a post I wrote about it in case someone is interested: https://hacefresko.github.io/posts/tp-link-tapo-c200-unauthenticated-rce
Hey! Just wanted to share that I ended up finding a critical vulnerability in uhttpd. This is a post I wrote about it in case someone is interested: https://hacefresko.github.io/posts/tp-link-tapo-c200-unauthenticated-rce
You have no idea how happy this makes me!
I'm glad that you found the repo useful, and thanks to all the other people who've contributed. I didn't do much research myself, but it gives me hope for more things in the future.
Thank you!
Very nice job and congratz for your first CVE!
I'm really surprised that calling this method doesn't check for stok
in the URL as I thought checking for stok is standard process for openwrt uhttpd.
I tried to reproduce this vuln on my C200v1 running 1.0.10 Build 200520 Rel.45325n(5553) FW, but unfortunately did not succeed.
So just to make sure, the json object should look something like this:
{ "method": "setLanguage", "params": {"payload": ";touch /tmp/pwn.txt;"}}
and the http method should be POST,am I correct?
Edit:
Ah ok I see I missed single quotes and now it works, thanks :)
Hi, I wonder do you know how the ciphertext
is calculated? If not, I'm gonna decompile the Android app try to figure it out.
Nevermind: it looks like you can just re-use any ciphertext.
Hi there. I have been following the project since Christmas and some weeks ago I decided to go deeper and tried to get a shell by my own. I succeed, so first, thanks the information provided by all participants.
Now, I'm trying to figure out how the API in port 443 works. I supposed it was made to communicate with the mobile app, so I looked for a script to play with it and I found this one https://github.com/KusoKaihatsuSha/appgotapo. The next step was to look for the actual script running on the backend inside the camera, so I started reading the uhttpd config files. I quickly realized that the lua handler specified in the config files is not present in the camera:
Here is some usefull info about the running processes inside the camera:
I have been reading the uhttpd docs but I can't find where is the backend functionality. Any help would be great.
Thanks.