Buffer Overflow in TP-Link Tapo C100 Home Security Camera:: Note: This blogpost was written in November 2023, but I was waiting for the TP Link Security Team to release a fix so now it’s published(Jan 2024).
Hello world! and happy new year. It’s been a long time since I last posted here. I decided to take a new challenge, to do something I wanted to do since I was 15 years old(!) enthusiastic kid watching this Black Hat talk: hacking a Security Camera. 10 years later, I think it’s my turn now hehe
In this blogpost, I’ll share my journey of targeting the TP-Link Tapo C100 Home Security Camera. From extracting the firmware to spotting an n-day and writing a full RCE exploit.
Extracting the firmware
To get an initial foothold on the device, I soldered some cables to the UART pins of the device in hopes that I will get a bash shell.
My plan was to try a known technique used in other models of this camera: inserting an SD Card to the camera → copy /dev/mtdblock* files to the card → plug it to my laptop → run binwalk on it.
However, for some reason the camera did not manage to detect the SD Card ;_; so what I did was:
Dumping the whole contents of the /dev/mtdblock* files with xxd(or, hexdump) Save all the UART output to a txt file Decode it back from hexdump to raw bytes
Yes, I dumped the whole firmware via UART, and it was so slow :‘) But desperate times call for desperate measures.
Intro to the “dsd” binary
The dsd binary, located at /usr/bin/dsd is one of the main components of the REST API the camera is exposing to the client. Basically, the uhttpd binary is using a local unix socket to send the user input to the dsd binary, perform the necessary action(change the camera settings, etc.) and return a response.
Spotting the bug
The bug exists in the check_user_info request handler.
The request: {