Back in November 2011 I wrote about the TP-Link TL-SC3130G IP camera. I had some trouble getting that device to work properly over wifi so I returned it and got my money back.
Today, Core Security released an advisory about this device (and several others from TP-Link) about a remotely exploitable vulnerability arising from “hard-coded credentials” (i.e. a manufacturer installed back-door). The advisory says, inter alia:
7.1. *Hard-Coded Credentials in Administrative Web Interface*
[CVE-2013-2572] TP-Link IP cameras use the Boa web server [1], a popular tiny server for embedded Linux devices.
‘boa.conf’ is the Boa configuration file, and the following account can be found inside:
/—–
# MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam
—–/
This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through
this account it is possible to access two CGI files located in ‘/cgi-bin/mft/’:
1. ‘manufacture.cgi’
2. ‘wireless_mft.cgi’
The last file contains the OS command injection showed in the following section.
7.2. *OS Command Injection in wireless_mft.cgi*
[CVE-2013-2573] The file ‘/cgi-bin/mft/wireless_mft.cgi’, has an OS command injection in the parameter ‘ap’ that can be
exploited using the hard-coded credentials showed in the previous section:
/—–
username: manufacture
password: erutcafunam
—–/
Nothing suspicious about that at all.