CVE-2013-2578
published 2013-10-11CVE-2013-2578: cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6…
PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.71%
99.4th percentile
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the ServerName parameter and (2) other unspecified parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | lm_firmware | <= 1.6.18p12_sign5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q↗
- →Alert on HTTP requests to /cgi-bin/admin/servetest with the pattern 'ServerName=<ip>;/usr/sbin/telnetd;' as this is the documented PoC payload to enable the telnet daemon. ↗
- →Monitor for unauthenticated POST requests to /cgi-bin/uploadfile, which allows arbitrary file uploads without authentication. ↗
- →Monitor for unauthenticated requests to /cgi-bin/firmwareupgrade, which allows remote firmware replacement without authentication. ↗
- →After exploitation, watch for inbound Telnet connections to the device and login attempts using username 'qmik' with no password, which grants access to a root-escalatable shell. ↗
- →The 'qmik' user can escalate to root via 'su'; monitor for 'su' execution following a 'qmik' telnet login on affected devices. ↗
- →The exploit PoC uses a hardcoded Authorization header 'Basic YWRtaW46YWRtaW4=' (admin:admin); alert on requests to /cgi-bin/admin/servetest using this credential. ↗
- ·The vulnerability requires authentication to /cgi-bin/admin/servetest; however, authentication can be bypassed by first resetting the device to factory defaults (via /cgi-bin/hardfactorydefault) and using default credentials admin:admin, making it effectively unauthenticated in practice. ↗
- ·Affected firmware is LM.1.6.18P12_sign5 and earlier; the vendor released a pre-release patched firmware LM.1.6.18P12_sign6. Other TP-Link camera models beyond TL-SC3171 are likely affected but were not confirmed tested. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2h68-7p8g-777r: cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM
ghsa_unreviewed·2022-05-17
CVE-2013-2578 [HIGH] CWE-78 GHSA-2h68-7p8g-777r: cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the ServerName parameter and (2) other unspecified parameters.
VulnCheck
TP-Link tl-sc3130 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2013·CVSS 10.0
CVE-2013-2578 [CRITICAL] TP-Link tl-sc3130 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TP-Link tl-sc3130 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the ServerName parameter and (2) other unspecified parameters.
Affected: TP-Link tl-sc3130
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2013-2578
No detection rules found.
Exploit-DB
TP-Link TL-SC3171 IP Cameras - Multiple Vulnerabilities
exploitdb·2013-08-02·CVSS 10.0
CVE-2013-2581 [CRITICAL] TP-Link TL-SC3171 IP Cameras - Multiple Vulnerabilities
TP-Link TL-SC3171 IP Cameras - Multiple Vulnerabilities
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Multiple Vulnerabilities in TP-Link TL-SC3171 IP Cameras
1. *Advisory Information*
Title: Multiple Vulnerabilities in TP-Link TL-SC3171 IP Cameras
Advisory ID: CORE-2013-0618
Advisory URL:
http://www.coresecurity.com/advisories/multiple-vulnerabilities-tp-link-tl-sc3171-ip-cameras
Date published: 2013-07-30
Date of last update: 2013-07-30
Vendors contacted: TP-Link
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78], Use of hard-coded credentials
[CWE-798], Authentication Bypass Issues [CWE-592], Missing
Authentication for Critical Function [CWE-306]
Impact: Code execution, Security bypass
Remotely Exploit
Metasploit
TP-Link SC2020n Authenticated Telnet Injection
metasploit
TP-Link SC2020n Authenticated Telnet Injection
TP-Link SC2020n Authenticated Telnet Injection
The TP-Link SC2020n Network Video Camera is vulnerable to OS Command Injection via the web interface. By firing up the telnet daemon, it is possible to gain root on the device. The vulnerability exists at /cgi-bin/admin/servetest, which is accessible with credentials.
No writeups or analysis indexed.
2013-10-11
Published
Exploited in the wild