Hikvision NVR creates "ngtest" backdoor user on managed camera's

[CPM]

I have a DS-7616NXI-I2/16P/S NVR with firmware V5.04.066 build 250620 (latest).
I have connected multiple Hikvision camera's through LAN and PoE.
When i go to the webinterface of the "NVR->Device Access->Device->Video Device->Operation->Go" to manage the camera itself through the NVR it creates a user called "ngtest" on the camera. When you close the window the user remains on the camera. It does this on any Hikvision camera (LAN and PoE).

It is possible to remove the user on the camera directly but when you use the "Operation" option on the NVR the user gets created again. It is not possible to remove the user from the camera when you use the Operation function from the NVR. It's impossible to remove the user within camera's that are connected through the PoE ports of the NVR itself.
When you manually create the "ngtest" user on the camera as a normal user with any permission, and afterwards manage it through the Operation function from the NVR the user gets overwritten and gets all the permissions that you can see on the screenshot below. After you manage the camera throughe NVR you cannot log in with the "ngtest" user, even when you change the password of that users on the camera itself.

Here are some screenshots (some in dutch) but you can see whats happening. The users also pops-up in the online user list from the camera itself.

The front windows is the pop-up window when you manage a the camera from the NVR (it's the camera that you manage) .255 is the IP of the NVR, The window behind it (dutch) is the webinterface directly from the camera itself, showing the created users and the local admin.




This is the online users list when accessing the camera directly, it is showing the "ngtest" user as "online".



These are the permissions the user has on the camera itself:



I find this disturbing and cannot find any documentation of this "feauture". This shouldn't happen and in my opinion is a security issue. Especially when the camera is accessible from the internet.

Somebody familiar with this?

PS: i already informed Hikvision support, but haven't got an response jet.

 

[alastairstevenson]

When i go to the webinterface of the "NVR->Device Access->Device->Video Device->Operation->Go" to manage the camera itself through the NVR it creates a user called "ngtest" on the camera. When you close the window the user remains on the camera. It does this on any Hikvision camera (LAN and PoE).

Fascinating!
It sounds like a programmer has carelessly left in some test code in the firmware.
I can see some security researchers exploring this to see if it can be exploited.

 

[trempa92]

This is virtualhost in action. The only problem is ngtest shouldnt be there. Usually virtual host uses default channel password/ admin password to open up settings on camera.

New firmware v5+ can start virtual host on configuration click, its not located in network -> others anymore. So perhaps it works bit different?

Still cool find, will check it out myself

 

[alastairstevenson]

This is virtualhost in action. The only problem is ngtest shouldnt be there. Usually virtual host uses default channel password/ admin password to open up settings on

Unless it's totally changed in the new firmware, virtual host usually just provides a NATted access to the camera IP address without using any logon credentials.
It's then up to the user to decide how to log in.

 

[CPM]

Well, out of the box connection right into the NVR PoE port it creates that user. No first admin password setup with security questions or whatsoever. Let that settle in for a moment en think about how that is programed in the software.

If you do the initial connection through the NVR and afterwards want to plug in the camera to normal LAN you cannot login with the admin account. Factory reset is your only option.

Haven't further tested this but that's what happened to me the first time, but I wasn't aware of it that moment. I thought they gave me a used camera because there already was a user in it (ngtest) but didn't understand why it was possible to see that users in the camera through the NVR. Connected it through LAN manage it with SADP tool but it was impossible because I couldn't log in with the admin account and didn't got the initial setup.

 

[alastairstevenson]

It's normal with a new unused Hikvision camera, in 'inactive' mode, to be 'activated' when connecting to an NVR PoE port that's in plug&play mode to be activated by the password that's set for this purpose in the NVR configuration.
But that's usually applied against the admin user.
If you've not already done so, maybe try that password against the ngtest user.

 

[trempa92]

Unless it's totally changed in the new firmware, virtual host usually just provides a NATted access to the camera IP address without using any logon credentials.
It's then up to the user to decide how to log in.

Ive seen firmware versions where nvr autologins without asking for credentials. I guess there are multiple versions then. But yes it did ask me for logins on others as well.

Ill fire debug on v5 and see whats up behind

 

[watchful_ip]

FYI "ngtest" appears to be the username referred to as ipc_tmpuser in that firmware.

I have not done any testing or analysis, but it may be that it's intended operation for it to be automatically created and then deleted by the NVR on the IPC (which seems not to have happened in your case).

Definitely good the flag it up though I would caution against describing it as a "backdoor" unless it's found to be a security vulnerability.

Now if this user didn't show up in the camera user list due to being specifically coded to not appear, wasn't shown in NVR debug logs (it is), and provided admin access you need a manufacturers RSA private key for etc etc etc I'd be investigating as a top priority!

 

[CPM]

I really want to know what code is behind it. A camera must accept this "connection" and code right out of the box, without an initial (admin account) setup. So in my opinion that's a risk. Also, the proces overwrites any existing ngtest account with more permission than it had and changes the password. What password is used? And if that password is the same for every camera, yes then it is a risk. It can be a backdoor. But I agree that this is just bad programming.

 

[watchful_ip]

Had a look and ngtest gets created with a random password and not as an admin, but a lower privilege operator.




Again I suspect it's supposed to be automatically deleted once the test is complete - but it seems driven by ISAPI (i.e. web requests) so if something goes awry it might get left there. Or maybe it is supposed to be left there if the cameras are considered fully managed by the NVR (I'm not sure)

The above is far from a proper analysis, just my initial impression, but I can't see a risk here at this stage.