Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

[bashis]

Your "P" user is deleted on my cam after a system reboot so does not really matter about having multiple entries in the password file. The cam also seems to handle the duplicate entries ok.

Thx for info, same with mine, but you know 'aesthetic'

 

[SamM]

Hi,

1. Is the DS-2CD2T25FWD-I5 with firmware version V5.5.61 build 180718 and web version V4.0.1 build 180626 vulnerable? I have tried the above by @bashis but results are:
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "10.0.0.245:80"
ETag: "ab2-1e0-5b441478"
[-] Could not verify if vulnerable (Code: 500)

2. What are the error codes that are presented in the parenthesis?

 

[alastairstevenson]

[-] Could not verify if vulnerable (Code: 500)

The primary RCE vulnerability could not be exploited, but there may be others.
For example, try the --reboot' extra option.

The HTTP response code 500 is described as 'Internal Server error'

http response 500 means - Google Search

 

[SamM]

@alastairstevenson Thank you. I have got exploitable results from the others but not from "check". Was a bit confused about the error being an internal server error.

Interesting how Hikvision excludes this model from its CVE list 2CD2X25 is excluded.

 

[rearanger]

Has anyone got the keys or root shell on the E ,H or G5 series cams. Please DM me.

 

[montecarlo]

Wonderful amazing works when I read your blog watchful_ip!
Thank you very much for sharing this.

Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

This article has been written for a technical audience.

watchfulip.github.io

I have one question:
In your original advisory you mentioned about
"Disable web authentication and login to target camera admin web pages with any password."
Can you please explain how one can do this?

I thought you can only add new user root on /etc/passwd but it does not reflect immediately by the camera.
I have been trying to open my camera for public but in the end I just add new user with password with viewer role..

Thanks

 

[rearanger]

Wonderful amazing works when I read your blog watchful_ip!
Thank you very much for sharing this.



I have one question:
In your original advisory you mentioned about
"Disable web authentication and login to target camera admin web pages with any password."
Can you please explain how one can do this?

I thought you can only add new user root on /etc/passwd but it does not reflect immediately by the camera.
I have been trying to open my camera for public but in the end I just add new user with password with viewer role..

Thanks

There are many ways.

you could edit the user file, you can actually have multiple admins in the user file.(there is a database containing web gui users/admin info)

 

[montecarlo]

There are many ways.

you could edit the user file, you can actually have multiple admins in the user file.(there is a database containing web gui users/admin info)

I tried to modify /devinfo/ipc_db and /devinfo/ipc_db_backup files by adding new admins users but even after reboot password is wrong.
can you point me where is the user file? (database containing web gui users/admin info)

my camera is DS-2CD2120F firmware V5.4.3 build 160729.

Thanks

 

[iTuneDVR]

I tried to modify /devinfo/ipc_db and /devinfo/ipc_db_backup files by adding new admins users but even after reboot password is wrong.
can you point me where is the user file? (database containing web gui users/admin info)

my camera is DS-2CD2120F firmware V5.4.3 build 160729.

Thanks

Send me you ipc_db file
In old version it possible decrypt password from database

 

[rearanger]

I tried to modify /devinfo/ipc_db and /devinfo/ipc_db_backup files by adding new admins users but even after reboot password is wrong.
can you point me where is the user file? (database containing web gui users/admin info)

my camera is DS-2CD2120F firmware V5.4.3 build 160729.

Thanks

i Pm'd regarding having 2 admins. Also there are security issues in the web gui. You can get it to alter the ipc_db in ways that it should not allow. (i only stressed tested it to see if it would allow root access.)

Certain functions and restriction regarding users can be overridden from the web interface.(tests were done on a G3 with newest firmware previous to CVE vulnerability fix)

 

[trempa92]

how do you add user?

I cant use commands such as adduser or vi to edit files. Anyone got workaround?

 

[iTuneDVR]

For some thing i use Far Manager with SQLiteDB plugin

 

[trempa92]

ah couldn't manage to add user to login, but managed to reset to inactive so i can add new user

 

[montecarlo]

ah couldn't manage to add user to login, but managed to reset to inactive so i can add new user

when reset to inactive then your camera become offline.
I did it accidentally when I deleted both ipc_db and ipc_db_backup files. I guess davinci recreate both files automatically.

Did you figure out how to add users without Web?
I have access to ssh as root but couldn't figure out how to modify the db files to add new users.

 

[rearanger]

how do you add user?

I cant use commands such as adduser or vi to edit files. Anyone got workaround?

install fully loaded busybox.

or cat > /etc/passwd

(add a script to make permanent if its for root)

 

[trempa92]

when reset to inactive then your camera become offline.
I did it accidentally when I deleted both ipc_db and ipc_db_backup files. I guess davinci recreate both files automatically.

Did you figure out how to add users without Web?
I have access to ssh as root but couldn't figure out how to modify the db files to add new users.

I was testing on 3x G2 cameras and succesfully ran script in cd bin called paramReset. It put my cameras in inactibvate state and let me add new password. This way i am not adding any new user, i am resetting camera.

 

[trempa92]

install fully loaded busybox.

or cat > /etc/passwd

(add a script to make permanent if its for root)

Can u send me full busybox in PM? Id be greatfull

cat passwd gives HASH which is meaningless to me. If Im correct there is no reversing but just comparing the results with brute force

 

[rearanger]

Can u send me full busybox in PM? Id be greatfull

cat passwd gives HASH which is meaningless to me. If Im correct there is no reversing but just comparing the results with brute force

G3 family busybox Fully loaded

Exploring the Hik G3 Family and maybe gain shell!

Test cam DS-2CD2346G2-ISU/SL latest firmware u-boot log i have not tried setenv variables "go." works

ipcamtalk.com

 

[skjom]

Do you know if they are OEMd R0 series Hikvision cubes?
If so - there is a mysterious firmware update here, in the same version and build date format as the vulnerable devices in other series :

https://www.hikvisioneurope.com/eu/portal/index.php?dir=portal/Technical Materials/00 Network Camera/00 Product Firmware/R0 platform (2xx2)

@bashis PoC comes up with this for a DS-2CD2432-IW on that same version of firmware :

alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.105  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.105:80"
[i] ETag: "8f6-1e0-587ec5e1"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.105  --reboot
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.105:80" with "reboot"
[+] Remote is not vulnerable
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $

How would I tell if they were OEMd R0?