Potential vulnerability in NVR

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
Hi,

New to this forum,

I own a Dahua DHI-NVR5216-16P-4KS2E [V4.001.0000006.0, Build Date: 2021-02-08 ]and recently noted a long beep from the system, never heard such beep before, looked at the system log and noticed 5 failed login attempts and again after few minutes heard same long beep and this time was looking at the monitor console (connected to console port of NVR) and noted someone was attempting to login and could see characters being entered on the login dialog box's password text field. (refer image)


Seems some one was connected to the system and were attempting to break-in but failed due to the strong password set on the device. This sounds to me a potential vulnerability with the system and adversary was able to exploit it and gained access to the system and was attempting to login ?

The log doesn't show where the attempts where made from which IP, it just says "
IP Address Local

It is crazy how could someone connect through to the NVR console remotely? NVR is connect to the router which has private WAN IP issue by ISP and is not directly exposed to internet as the IP is non routable/reachable from internet.

As anyone every encountered such situation ?
 

Attachments

iTuneDVR

Pulling my weight
Joined
Aug 23, 2014
Messages
846
Reaction score
153
Location
Россия
I own a Dahua DHI-NVR5216-16P-4KS2E [V4.001.0000006.0, Build Date: 2021-02-08 ]
P2P is enable?
Security access is in compatable mode ?

If Yes both, someone try use p2p & your serial number to access.
Enter password in GUI it's very interestion...
If not, someone inside your LAN and try get access to your NVR.

Update firmware, but remember in new version disable get custom RTSP.
Disable P2P & always use onw VPN.
Change sec.access to security mode if it possible.

If you use SmartPSS be sure than no one have access to this soft, becouse they can get files & dectypt any strong password ;)
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Seems some one was connected to the system and were attempting to break-in but failed due to the strong password set on the device. This sounds to me a potential vulnerability with the system and adversary was able to exploit it and gained access to the system and was attempting to login ?
That does suggest that the device is accessible from the internet.
Less likely is that another device on your network has been compromised and is being remotely controlled.

It is crazy how could someone connect through to the NVR console remotely?
One possibility is if UPnP is enabled on both your router and the NVR.
This would enable access inbound automatically.
Check your router configuration - UPnP being enabled by default is common.

Suggestion :
Check for inbound access using a service such as ShieldsUp!
Use the 'All Service ports' scan option.
That will at least cover port 80, though not the high ports such as 8000 and 8080
 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
P2P is enable?
Security access is in compatable mode ?

[Quote ]PPA - is in Security Mode
P2P is enable - using this to monitor alarms and camera streams
If Yes both, someone try use p2p & your serial number to access. -
how did one get access to my device serial, other then my it was be my installer who has the details and confirmed they did not attempt login.
Enter password in GUI it's very interestion...

If not, someone inside your LAN and try get access to your NVR. -
Not possible as access to LAN/Wireless are tied down to MAC address, though technically it is possible MAC spoofing but for that someone needs to get into my network first to spoof the address.
It is interesting and scary as my console login is pattern based and I don't use username/password to login to console, but that intruder (avoiding alarm situation by not using "hacker') invoked that specific login API remotely and to make it worse there have been attempts to login to the system with an another personalized account created on the NVR, how did someone sniff this account name ?
Update firmware, but remember in new version disable get custom RTSP.
Disable P2P & always use onw VPN. -
Need to explore this alternative of using VPN and still having the capability of using mobile app to monitor & camera live feed, any pointers would be of help.
Change sec.access to security mode if it possible.

If you use SmartPSS be sure than no one have access to this soft, becouse they can get files & dectypt any strong password ;) -thanks for this tip. my password is strong that the reason their attempts are failing.

Any posible way for them to get this access is through the P2P connectivity, an unknow threat which has not been exploited yet and was used this break-in to the system, came acro
[/QUOTE]
 
Last edited:

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
That does suggest that the device is accessible from the internet.
Less likely is that another device on your network has been compromised and is being remotely controlled.


One possibility is if UPnP is enabled on both your router and the NVR.
This would enable access inbound automatically.
Check your router configuration - UPnP being enabled by default is common.

uPNP was enabled on NVR - this could be one of the reason a random scan could be reviled open port but again my device is not directly connect to interne, NVR is behind two Private segment and not exposed to internet directly by any means
Suggestion :
Check for inbound access using a service such as ShieldsUp!
Use the 'All Service ports' scan option.
That will at least cover port 80, though not the high ports such as 8000 and 8080
Did use this website to scan open ports but all standard port comes as - Your system has achieved a perfect "TruStealth" rating.
 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
Someone faced similar situation where the intruder was able to get into the NVR system possible because of weak password


But in my case I dont see the IP from where these attempts were being made and logs only says Local Login.
 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
To make the matter worse I have reported this to Dauha local support center and their cyber crime team, but haven't heard any response yet,

how could we trust and use a security system which itself can be compromised and vendor is least bothered to respond or take any initiative to investigate
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
Do you access the NVR remotely when away from home?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
OK, so unless you are VPNing back into your system, you either scanned a QR code or typed in the serial number or forwarded a port, thus putting your device on the internet and making it vulnerable to one of the many backdoor exploits that seem to always pop up OR thru someone/bot trying to guess the password...

Edit - you respond within the grey areas of replies, but you mentioned you have P2P on - that is how this is happening...
 
Last edited:

jarrow

Pulling my weight
Joined
Jan 6, 2022
Messages
159
Reaction score
170
Location
NL
Where did you find these logs?
If you look under 'Alarm' and then select one of the lowest options 'Exception' you'll see the logs of Illegal login attempt. There I've always seen an IP-address, mostly Bralizian, Russian or French and always have multiple reports of abuse if you search only.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
To make the matter worse I have reported this to Dauha local support center and their cyber crime team, but haven't heard any response yet,

how could we trust and use a security system which itself can be compromised and vendor is least bothered to respond or take any initiative to investigate
You will find that they do not care about you the end user and will tell you to talk to the installer.

It is why we do not allow these things to have access to the internet...

Ironically, NO security system is secure from internet hacking...EVERY manufacturer has been hacked...it is why we do not allow these to have access to the internet.


 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
This exploit was PoC'd by @bashis and document under '-=[Loopback Vulnerability]=-CVE-2021-33045 ' The behaviors is same as I don't see the origin (IP) of the attempt as its invoking "Local Login" method.

Time to upgrade my firmware !!
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
This exploit was PoC'd by @bashis and document under '-=[Loopback Vulnerability]=-CVE-2021-33045 ' The behaviors is same as I don't see the origin (IP) of the attempt as its invoking "Local Login" method.

Time to upgrade my firmware !!
Even with an upgrade of the firmware, you do a search around here and on the internet - these companies are SLOW to fix vulnerabilities. As long as you allow P2P, someone will find a backdoor...
 

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
Where did you find these logs?
If you look under 'Alarm' and then select one of the lowest options 'Exception' you'll see the logs of Illegal login attempt. There I've always seen an IP-address, mostly Bralizian, Russian or French and always have multiple reports of abuse if you search only.
Logs are under Maintain->Log and type Account which displays all login attempt to the system
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
They have probably got in via the backdoor and that is why they logins look to be local.

We had someone here about 6 months ago with a similar issue with a Hikvision NVR and they thought they were being attempted to be hacked by someone within their house that they didn't give access to. It ended up being a backdoor vulernability.
 
Last edited:

funtoosko

n3wb
Joined
Jan 23, 2023
Messages
18
Reaction score
3
Location
AU
You will find that they do not care about you the end user and will tell you to talk to the installer.

Unfortunately the local installer don't have a clue on such aspects of exploits/Vulnerability and sadly same goes for local authorized partner/reseller they are just box sellers !!
It is why we do not allow these things to have access to the internet...

Ironically, NO security system is secure from internet hacking...EVERY manufacturer has been hacked...it is why we do not allow these to have access to the internet.


 
Top