Potential vulnerability in NVR

[funtoosko]

Hi,

New to this forum,

I own a Dahua DHI-NVR5216-16P-4KS2E [V4.001.0000006.0, Build Date: 2021-02-08 ]and recently noted a long beep from the system, never heard such beep before, looked at the system log and noticed 5 failed login attempts and again after few minutes heard same long beep and this time was looking at the monitor console (connected to console port of NVR) and noted someone was attempting to login and could see characters being entered on the login dialog box's password text field. (refer image)


Seems some one was connected to the system and were attempting to break-in but failed due to the strong password set on the device. This sounds to me a potential vulnerability with the system and adversary was able to exploit it and gained access to the system and was attempting to login ?

The log doesn't show where the attempts where made from which IP, it just says "
IP Address Local

It is crazy how could someone connect through to the NVR console remotely? NVR is connect to the router which has private WAN IP issue by ISP and is not directly exposed to internet as the IP is non routable/reachable from internet.

As anyone every encountered such situation ?

 

[looktall]

you don't have a keyboard plugged into the NVR do you?

 

[iTuneDVR]

I own a Dahua DHI-NVR5216-16P-4KS2E [V4.001.0000006.0, Build Date: 2021-02-08 ]

P2P is enable?
Security access is in compatable mode ?

If Yes both, someone try use p2p & your serial number to access.
Enter password in GUI it's very interestion...
If not, someone inside your LAN and try get access to your NVR.

Update firmware, but remember in new version disable get custom RTSP.
Disable P2P & always use onw VPN.
Change sec.access to security mode if it possible.

If you use SmartPSS be sure than no one have access to this soft, becouse they can get files & dectypt any strong password

 

[alastairstevenson]

Seems some one was connected to the system and were attempting to break-in but failed due to the strong password set on the device. This sounds to me a potential vulnerability with the system and adversary was able to exploit it and gained access to the system and was attempting to login ?

That does suggest that the device is accessible from the internet.
Less likely is that another device on your network has been compromised and is being remotely controlled.

It is crazy how could someone connect through to the NVR console remotely?

One possibility is if UPnP is enabled on both your router and the NVR.
This would enable access inbound automatically.
Check your router configuration - UPnP being enabled by default is common.

Suggestion :
Check for inbound access using a service such as ShieldsUp!
Use the 'All Service ports' scan option.
That will at least cover port 80, though not the high ports such as 8000 and 8080

GRC | ShieldsUP! — Internet Vulnerability Profiling

GRC Internet Security Detection System

www.grc.com

 

[funtoosko]

you don't have a keyboard plugged into the NVR do you?

No, its just the mouse, I know what you are thinking...stuffed keys !!, that's not the case. as the log show two instance of failed login attempt ( 5 attempts each instance)

 

[funtoosko]

P2P is enable?
Security access is in compatable mode ?

[Quote ]PPA - is in Security Mode
P2P is enable - using this to monitor alarms and camera streams

If Yes both, someone try use p2p & your serial number to access. -

how did one get access to my device serial, other then my it was be my installer who has the details and confirmed they did not attempt login.

Enter password in GUI it's very interestion...

If not, someone inside your LAN and try get access to your NVR. -

Not possible as access to LAN/Wireless are tied down to MAC address, though technically it is possible MAC spoofing but for that someone needs to get into my network first to spoof the address.

It is interesting and scary as my console login is pattern based and I don't use username/password to login to console, but that intruder (avoiding alarm situation by not using "hacker') invoked that specific login API remotely and to make it worse there have been attempts to login to the system with an another personalized account created on the NVR, how did someone sniff this account name ?

Update firmware, but remember in new version disable get custom RTSP.
Disable P2P & always use onw VPN. -

Need to explore this alternative of using VPN and still having the capability of using mobile app to monitor & camera live feed, any pointers would be of help.

Change sec.access to security mode if it possible.

If you use SmartPSS be sure than no one have access to this soft, becouse they can get files & dectypt any strong password -thanks for this tip. my password is strong that the reason their attempts are failing.

Any posible way for them to get this access is through the P2P connectivity, an unknow threat which has not been exploited yet and was used this break-in to the system, came acro
[/QUOTE]

 

[funtoosko]

That does suggest that the device is accessible from the internet.
Less likely is that another device on your network has been compromised and is being remotely controlled.


One possibility is if UPnP is enabled on both your router and the NVR.
This would enable access inbound automatically.
Check your router configuration - UPnP being enabled by default is common.

uPNP was enabled on NVR - this could be one of the reason a random scan could be reviled open port but again my device is not directly connect to interne, NVR is behind two Private segment and not exposed to internet directly by any means

Suggestion :
Check for inbound access using a service such as ShieldsUp!
Use the 'All Service ports' scan option.
That will at least cover port 80, though not the high ports such as 8000 and 8080

GRC | ShieldsUP! — Internet Vulnerability Profiling

GRC Internet Security Detection System

www.grc.com

Did use this website to scan open ports but all standard port comes as - Your system has achieved a perfect "TruStealth" rating.

 

[iTuneDVR]

Just update firmware with date before july 2021 if no problem with it.

 

[funtoosko]

Someone faced similar situation where the intruder was able to get into the NVR system possible because of weak password

Is my NVR hacked by someone?

Hi all, Last night my Dahua DHI-NVR4208-8P-4KS2 just beeped in the middle of the night (never did that before). After looking at the log at the time of beeping it says the following: (Events occur from bottom to top): 3 Time: 2020-03-11 02:20:25 Type: Save Contents: Save config...

ipcamtalk.com

But in my case I dont see the IP from where these attempts were being made and logs only says Local Login.

 

[funtoosko]

To make the matter worse I have reported this to Dauha local support center and their cyber crime team, but haven't heard any response yet,

how could we trust and use a security system which itself can be compromised and vendor is least bothered to respond or take any initiative to investigate

 

[wittaj]

Do you access the NVR remotely when away from home?

 

[funtoosko]

Do you access the NVR remotely when away from home?

Yes - through DMSS mobile app

 

[wittaj]

OK, so unless you are VPNing back into your system, you either scanned a QR code or typed in the serial number or forwarded a port, thus putting your device on the internet and making it vulnerable to one of the many backdoor exploits that seem to always pop up OR thru someone/bot trying to guess the password...

Edit - you respond within the grey areas of replies, but you mentioned you have P2P on - that is how this is happening...

 

[jarrow]

Where did you find these logs?
If you look under 'Alarm' and then select one of the lowest options 'Exception' you'll see the logs of Illegal login attempt. There I've always seen an IP-address, mostly Bralizian, Russian or French and always have multiple reports of abuse if you search only.

 

[wittaj]

To make the matter worse I have reported this to Dauha local support center and their cyber crime team, but haven't heard any response yet,

how could we trust and use a security system which itself can be compromised and vendor is least bothered to respond or take any initiative to investigate

You will find that they do not care about you the end user and will tell you to talk to the installer.

It is why we do not allow these things to have access to the internet...

Ironically, NO security system is secure from internet hacking...EVERY manufacturer has been hacked...it is why we do not allow these to have access to the internet.

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

 

[funtoosko]

This exploit was PoC'd by @bashis and document under '-=[Loopback Vulnerability]=-CVE-2021-33045 ' The behaviors is same as I don't see the origin (IP) of the attempt as its invoking "Local Login" method.

Time to upgrade my firmware !!

 

[wittaj]

This exploit was PoC'd by @bashis and document under '-=[Loopback Vulnerability]=-CVE-2021-33045 ' The behaviors is same as I don't see the origin (IP) of the attempt as its invoking "Local Login" method.

Time to upgrade my firmware !!

Even with an upgrade of the firmware, you do a search around here and on the internet - these companies are SLOW to fix vulnerabilities. As long as you allow P2P, someone will find a backdoor...

 

[funtoosko]

Where did you find these logs?
If you look under 'Alarm' and then select one of the lowest options 'Exception' you'll see the logs of Illegal login attempt. There I've always seen an IP-address, mostly Bralizian, Russian or French and always have multiple reports of abuse if you search only.

Logs are under Maintain->Log and type Account which displays all login attempt to the system

 

[wittaj]

They have probably got in via the backdoor and that is why they logins look to be local.

We had someone here about 6 months ago with a similar issue with a Hikvision NVR and they thought they were being attempted to be hacked by someone within their house that they didn't give access to. It ended up being a backdoor vulernability.

 

[funtoosko]

You will find that they do not care about you the end user and will tell you to talk to the installer.

Unfortunately the local installer don't have a clue on such aspects of exploits/Vulnerability and sadly same goes for local authorized partner/reseller they are just box sellers !!

It is why we do not allow these things to have access to the internet...

Ironically, NO security system is secure from internet hacking...EVERY manufacturer has been hacked...it is why we do not allow these to have access to the internet.

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com