How to reset device password after gaining unrestricted root access via ssh (using CVE-2021-36260 exploit) ?

[nowork]

I am relatively new to HIKVISION IP Camera.

I have a HIKVISION network PT camera (DS-2CV2Q21FD-IW). I lost its "device" password long time ago.
With the help of CVE-2021-36260 exploit, I can gain an unrestricted root access (/bin/sh by ssh) via local network.
I can access /etc/passwd file and rewrite its content in order to change passwords of root, admin and P users if necessary.
However these changes will be reset to its firmeware configuration after the device reboots everytimes.

Anyone knows how to change a "device" password (via /bin/sh command line), and preserve the change to its firmware setting?

Thank in advance for your help.

 

[bp2008]

I have no idea. I suggest you factory reset the camera after changing its password temporarily.

Or you could probably just use the web interface to change the passwords and that would force it to be persisted?

 

[nowork]

Thank for your advice. I forgot to mention that I cannot access the web GUI to login via browser. I can only access to the ssh console. The manually generated content of /etc/passwd after booting seems not to be synced with the web server. (I am not sure if this is the exact reason to why I cannot login via web interface)

Do you or anyone else have any suggestions to fix this?

Thanks

 

[bp2008]

Unfortunately I don't know enough about how Hikvision cameras work internally to be of more help. Maybe @alastairstevenson knows more.

 

[alastairstevenson]

I have a HIKVISION network PT camera (DS-2CV2Q21FD-IW). I lost its "device" password long time ago.

I'm not familiar with that model of camera, but the product specs suggest that it has a reset button, though it does not say where.
If you can find the reset button, press it, power on the camera and keep the button pressed for 30-40 seconds.
After that the camera should be in an 'Inactive' state.
An easy way to Activate the camera is to supply a new, strong, password using SADP.

SADP Tool

Locate Hikvision brand cameras within the same network, including their IP address and port.

ipcamtalk.com

 

[CQR-View]

It appears the Reset Button is located on the underside of the Lens Housing (if you would call it that)
Basically ................. Use the Tilt Feature and make the camera look up, then check the under carriage ....................... see pic

 

[CQR-View]

I'm not familiar with that model of camera, but the product specs suggest that it has a reset button, though it does not say where.
If you can find the reset button, press it, power on the camera and keep the button pressed for 30-40 seconds.
After that the camera should be in an 'Inactive' state.
An easy way to Activate the camera is to supply a new, strong, password using SADP.

SADP Tool

Locate Hikvision brand cameras within the same network, including their IP address and port.

ipcamtalk.com

FYI - Correction to Reset Procedure
"RESET: Hold down the button for 4 seconds when the camera is running. "

 

[CQR-View]

I am relatively new to HIKVISION IP Camera.

I have a HIKVISION network PT camera (DS-2CV2Q21FD-IW). I lost its "device" password long time ago.
With the help of CVE-2021-36260 exploit, I can gain an unrestricted root access (/bin/sh by ssh) via local network.
I can access /etc/passwd file and rewrite its content in order to change passwords of root, admin and P users if necessary.
However these changes will be reset to its firmeware configuration after the device reboots everytimes.

Anyone knows how to change a "device" password (via /bin/sh command line), and preserve the change to its firmware setting?

Thank in advance for your help.

It is highly probable that you may be experiencing difficulties in extracting the relevant data you are seeking due to the fact your Camera Model does not appear in the list of Vulnerable Camera Models in which the CVE-2021-36260 exploit exists ........................ just saying.

The following link is to the most up-to-date info I could find, which references "Version 1.2, updated list of models Dated 28/9/2021". Your Camera is not listed.
Security Notification- Command Injection Vulnerability in Some Hikvision products | Hikvision US | The world’s largest video surveillance manufacturer

Moving on, locating the documentation for this camera, the "Quick Start Guide" the Hik-Connect App is used to Set up & Configuration this Camera. Other Documentation appears to cover the IP Camera range as a Holistic approach & not for your specific Camera Model. links to all these below.

I hope this helps

Link to Quick Start Guide

https://www.hikvision.com/content/dam/hikvision/products/S000000001/S000000002/S000000003/S000000801/OFR000386/M000002452/Quick_Start_Guide/UD05573B_Baseline-Quick-Start-Guide-of-PT-Dome-Camera_Q1_V5.4.15_20170420.pdf

Link to User Manual

https://www.hikvision.com/content/dam/hikvision/products/S000000001/S000000002/S000000003/S000000801/OFR000386/M000002452/User_Manual/UD22738B-B_Network-Camera_User-Manual_V5.5.111_20210820.PDF

Link to FAQ

https://www.hikvision.com/content/dam/hikvision/products/S000000001/S000000002/S000000003/S000000801/OFR000386/M000002452/FAQ/UD25299B_Hikvision-Camera_Frequently-Asked-Questions_V1.0_20210827.PDF

 

[Mike_Larry]

Hi guys, I’ve recently purchased some Hilook/Hikvision products. Was having issues with my previous Wifi camera setup in our estate with people jamming the cameras. Having issues with my new hikvision products which has led me to believe my devices are being hacked.

Are there any tools out there which i can use to test my devices for the vulnerability. Even better still, if i was to provide the ip addresses is there anyone who can test the devices for me as im very new to this whole networking stuff. Am willing to pay for the service.

If no one is available to do this maybe they know someone who can. Would be grateful if they could pass on the contact details.

Appreciate the help. Thanks

 

[trempa92]

You may use paramReset once you gained access, Device state will run into inactive state with all your network and general configuration intact. Simply activate with new password.