another good reason not to buy one

Back in November 2011 I wrote about the TP-Link TL-SC3130G IP camera. I had some trouble getting that device to work properly over wifi so I returned it and got my money back.

Today, Core Security released an advisory about this device (and several others from TP-Link) about a remotely exploitable vulnerability arising from “hard-coded credentials” (i.e. a manufacturer installed back-door). The advisory says, inter alia:

7.1. *Hard-Coded Credentials in Administrative Web Interface*

[CVE-2013-2572] TP-Link IP cameras use the Boa web server [1], a popular tiny server for embedded Linux devices.

‘boa.conf’ is the Boa configuration file, and the following account can be found inside:

/—–

# MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam

—–/

This account is not visible from the user web interface; users are not aware of the existence and cannot eliminate it. Through

this account it is possible to access two CGI files located in ‘/cgi-bin/mft/’:

 

1. ‘manufacture.cgi’

2. ‘wireless_mft.cgi’

The last file contains the OS command injection showed in the following section.

7.2. *OS Command Injection in wireless_mft.cgi*

[CVE-2013-2573] The file ‘/cgi-bin/mft/wireless_mft.cgi’, has an OS command injection in the parameter ‘ap’ that can be

exploited using the hard-coded credentials showed in the previous section:

/—–

username: manufacture

password: erutcafunam

—–/

Nothing suspicious about that at all.

Permanent link to this article: https://baldric.net/2013/05/29/another-good-reason-not-to-buy-one/