Dahua DVR Authentication Bypass - CVE-2013-6117
Dahua DVR Authentication Bypass - CVE-2013-6117
--Summary--
Dahua web-enabled DVRs and rebranded versions do not enforce authentication=
on their administrative services.
# Zhejiang Dahua Technology Co., Ltd.
# http://www.dahuasecurity.com
--Affects--
# Dahua web-enabled DVRs
# Dahua-rebranded web-enabled DVRs
# Verified on v2.608.0000.0 and 2.608.GV00.0
--Details--
Dahua web-enabled DVRs utilize fat-client utilities like PSS, mobile client=
interfaces like iDMSS, and an ActiveX control, "webrec.cab" for browser-ba=
sed access. These clients communicate with an administrative service which =
runs on TCP port 37777 by default and can be changed. At least in the case =
of the ActiveX control, a simple binary protocol is used. The various comma=
nds supported by the server are not authorized in any way. Authentication s=
imply serves as a way to let the client transition past the login screen. V=
arious commands can be replayed to any DVR sans authentication. These inclu=
de:
# Get the firmware version
# Get the serial number
# Get the email settings (includes username, SMTP server, and cleartext cre=
ds)
# Get the DDNS settings (includes the DDNS service, server, and cleartext c=
reds)
# Get the NAS settings (again, cleartext creds)
# Get the users (username, group membership, and hashed passwords)
# Get the user groups (group name, description, etc)
# Get the channels (camera channel names, e.g. "bedroom" "cocina")
# Clear the logs (handy)
# Change a user's password (unauthorized access)
More Details: http://blog.depthsecurity.com/2013/11/dahua-dvr-authenticatio=
n-bypass-cve.html
--MetaSploit Module--
We wrote a MetaSploit scanner module as a proof of concept. It is multithre=
aded and can look for a specified port, scan networks, find DVRs, get all t=
he above info, change a user's password, and clear the logs when it's throu=
gh.=20
# GIT Repo: https://github.com/depthsecurity/dahua_dvr_auth_bypass.git
--Other Concerns--
# Some nearly simultaneous research independent of mine: http://www.kb.cert=
..org/vuls/id/800094=20
# CVE-2013-3612: DVRs listen for telnet by default and the root password is=
static and publicly known on all devices. (http://www.cctvforum.com/viewto=
pic.php?f=3D3&t=3D32408)=20
# Other backdoor accounts exist, including one with a revolving password th=
at is a simple date hash.
# CVE-2013-3613: UPnP requests from untrusted addresses is supported and co=
uld be used to get publicly accessible telnet on a DVR.
# CVE-2013-3614: Passwords are limited to 6 chars.
# CVE-2013-3615: A weak 48-bit hash is utilized to protect DVR account pass=
words.=20
# We admittedly did not perform any serious fuzzing of the vulnerable servi=
ce so there is a large potential for more serious vulnerabilities that allo=
w RCE.=20
# Also, the DVRs listen on many different ports including telnet besides th=
ose necessary for web access (TCP/80,37777,&37778 by default).=20
# SMTP, NAS, and DDNS credentials were all stored and transferred in cleart=
ext.=20
--Mitigation--
The best advice for now is to make sure these devices are not publicly acce=
ssible to the internet. Dahua initially stated they would work on fixing th=
e issues but went radio silent afterwards.
--Timeline--
# 8/26/2013: Identified authorization flaw
# 8/27/2013: Wrote proof of concept tool/scanner
# 8/28/2013: Disclosed issue to Dahua
# 8/30/2013: Received initial response from Dahua including request for mor=
e info
# 8/30/2013: Responded to Dahua with requested info
# 9/2/2013: Received confirmation that Dahua R&D is working to fix the issu=
e
# 10/2/2013: Requested status update from Dahua
# 10/10/2013: Re-requested status update from Dahua after no response from =
10/2/2013
# 11/13/2013: Publicly disclosed vulnerability
Jake Reynolds - Partner / Principal Consultant =20