TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi Hard-Coded Credentials

Title: TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi Hard-Coded Credentials
Advisory ID: ZSL-2015-5255
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 14.09.2015
Summary
Designed with simplicity in mind, TP-LINK's Cloud Cameras are a fast and trouble free way to keep track on what's going on in and around your home. Video monitoring, recording and sharing has never been easier with the use of TP-LINK’s Cloud service. The excitement of possibilities never end.
Description
NC220 and NC200 utilizes hard-coded credentials within its Linux distribution image. These sets of credentials (root:root) are never exposed to the end-user and cannot be changed through any normal operation of the camera.
Vendor
TP-LINK Technologies Co., Ltd. - http://www.tp-link.us
Affected Version
NC220 V1 1.0.28 Build 150629 Rel.22346
NC200 V1 2.0.15 Build 150701 Rel.20962
Tested On
Linux
Vendor Status
N/A
PoC
tplink_hcc.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/38186/
[2] https://cxsecurity.com/issue/WLB-2015090083
[3] https://packetstormsecurity.com/files/133552
[4] http://www.vfocus.net/art/20150916/12375.html
Changelog
[14.09.2015] - Initial release
[17.09.2015] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk