Exploiting n-day in Home Security Camera
0xbigshaq.github.io
Note: This blogpost was written in November 2023, but I was waiting for the TP Link Security Team to release a fix so now it’s published(Jan 2024). Hello world! and happy new year. It’s been a long time since I last posted here. I decided to take a new challenge, to do something I wanted to do since I was 15 years old(!) enthusiastic kid watching this Black Hat talk: hacking a Security Camera. 10 years later, I think it’s my turn now hehe In this blogpost, I’ll share my journey of targeting the TP-Link Tapo C100 Home Security Camera. From extracting the firmware to spotting an n-day and writing a full RCE exploit. Extracting the firmware To get an initial foothold on the device, I soldered some cables to the UART pins of the device in hopes that I will get a bash shell. My plan was to try a known technique used in other models of this camera: inserting an SD Card to the camera → copy /dev/mtdblock* files to the card → plug it to my laptop → run binwalk on it. However, for some reason the camera did not manage to detect the SD Card ;_; so what I did was: Dumping the whole contents of the /dev/mtdblock* files with xxd(or, hexdump) Save all the UART output to a txt file Decode it back from hexdump to raw bytes Yes, I dumped the whole firmware via UART, and it was so slow :‘) But desperate times call for desperate measures. Intro to the “dsd” binary The dsd binary, located at /usr/bin/dsd is one of the main components of the REST API the camera is exposing to the client. Basically, the uhttpd binary is using a local unix socket to send the user input to the dsd binary, perform the necessary action(change the camera settings, etc.) and return a response. Spotting the bug The bug exists in the check_user_info request handler. The request: {

Buffer Overflow in TP-Link Tapo C100 Home Security Camera:: Note: This blogpost was written in November 2023, but I was waiting for the TP Link Security Team to release a fix so now it’s published(Jan 2024).

Hello world! and happy new year. It’s been a long time since I last posted here. I decided to take a new challenge, to do something I wanted to do since I was 15 years old(!) enthusiastic kid watching this Black Hat talk: hacking a Security Camera. 10 years later, I think it’s my turn now hehe

In this blogpost, I’ll share my journey of targeting the TP-Link Tapo C100 Home Security Camera. From extracting the firmware to spotting an n-day and writing a full RCE exploit.

Extracting the firmware

To get an initial foothold on the device, I soldered some cables to the UART pins of the device in hopes that I will get a bash shell.

My plan was to try a known technique used in other models of this camera: inserting an SD Card to the camera → copy /dev/mtdblock* files to the card → plug it to my laptop → run binwalk on it.

However, for some reason the camera did not manage to detect the SD Card ;_; so what I did was:

Dumping the whole contents of the /dev/mtdblock* files with xxd(or, hexdump) Save all the UART output to a txt file Decode it back from hexdump to raw bytes

Yes, I dumped the whole firmware via UART, and it was so slow :‘) But desperate times call for desperate measures.

Intro to the “dsd” binary

The dsd binary, located at /usr/bin/dsd is one of the main components of the REST API the camera is exposing to the client. Basically, the uhttpd binary is using a local unix socket to send the user input to the dsd binary, perform the necessary action(change the camera settings, etc.) and return a response.

Spotting the bug

The bug exists in the check_user_info request handler.

The request: {