Exploit the possiblities

Hikvision IP Camera Access Bypass

Hikvision IP Camera Access Bypass
Posted Sep 12, 2017
Authored by Monte Crypto

Hikvision IP Cameras suffers from multiple access bypass vulnerabilities.

tags | exploit, vulnerability, bypass
MD5 | 6fc12ebc93196ea83a1dbcc6864fa795

Hikvision IP Camera Access Bypass

Change Mirror Download
Access control bypass in Hikvision IP Cameras
Full disclosure
Sep 12, 2017

Synopsis:
---------------
Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since at least 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing. In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users.

Risk and Mitigation:
--------------------
The vulnerability poses a severe risk. Because the vulnerability is trivial to exploit, it is recommended that you immediately upgrade or disconnect all Hikvision products from the Internet or untrusted networks, or at least implement network access control rules that only allow trusted IP addresses to initiate connections to vulnerable devices. Keep in mind that many Hikvision IP cameras come with UPNP enabled by default and can expose themselves to the Internet automatically. Hikvision released firmware updates for many camera models where backdoor code is removed. If an update is available for your devlice, you should install it as soon as possible.

Be aware that many Hikvision cameras sold online as "Multilanguage" or "English, not upgradeable" are in fact modified Chinese-language (domestic market) cameras. Attempting to upload English firmware into such cameras could result in a boot loop that can only be recovered from by flashing original Chinese-language firmware over TFTP. If you do not understand what this paragraph says or not entirely sure that your camera is an export English-language model, do not attempt to upgrade it.


Vulnerability details:
----------------------
Hikvision camera API includes support for proprietary HikCGI protocol, which exposes URI endpoints through the camera's web interface. The HikCGI protocol handler checks for the presence of a parameter named "auth" in the query string and if that parameter contains a base64-encoded "username:password" string, the HikCGI API call assumes the idntity of the specified user. The password is ignored.

Virtually all Hikvision products come with a superuser account named "admin", which can be easily impersonated. For example:

Retrieve a list of all users and their roles:
http://camera.ip/Security/users?auth=YWRtaW46MTEK

Obtain a camera snapshot without authentication:
http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK


All other HikCGI calls can be impersonated in the same way, including those that add new users or flash camera firmware. Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code or render hundreds of thousands of connected devices permanently unusable with just one simple http call.

And worst of all, one can download camera configuration:
http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK

Configuration backup files, unfortunately, contain usernames and plain-text passwords for all configured users. While the files are encrypted, the encryption is easily reversible, because Hikvision chose to use a static encryption key, which is derived from the password "abcdefg". Other Hikvision products have similarly weak encryption mechanisms.


Planted backdoor or accidental bug?
-----------------------------------
Make your own judgment.

There are four handlers in a typical Hikvision camera firmware that process API requests: ISAPI, PSIA, HikCGI, and Genetec. All four contain very similar authentication and authorization code. Only one of the four (HikCGI) has an additional piece of code with a very simple logic of "if this exists, then skip all authentication". Once you understand the code flow, the backdoor code really stands out. It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years. The vulnerability start ed to quietly disappear from hew firmware released in Jan/Feb of 2017, after Hikvision leadership made public comments that no such backdoor exists and after similar backdoors were reported in other manufacturers' products.

Hikvision indicated that it was a piece of debug code inadvertently left by one of developers.

It is plausible, that a developer forgot to remove a piece of test code and it went unnoticed for years. There are no attempts to hide the backdoor code which would certainly be expected in case of a deliberately planted backdoor. Chinese domestic market cameras contain the backdoor as well.


Timeline:
---------------
March 5, 2017:
Backdoor discovered.
March 6, 2017:
- Hikvision notified of the backdoor, technical details provided.
March 7. 2017:
- Hikvision confirmed vulnerability and promised firmware update.
March 12, 2017:
- Hikvision issued a memo about the vulnerability to partners.
- Hikvision started publishing firmware updates for affected devices.
May 4, 2017:
- ICS-Cert released advisory ICSA-17-124-01
Sep 11, 2017:
Vulnerability details released in the full disclosure distribution list.


References:
------------
HikCGI protocol:
http://www.Hikvisioneurope.com/portal/?dir=portal/Integration%20and%20Development%20Materials/03--Protocol/01--HIKCGI%20Protocol

My bitcoin address (buy me a beer):
1N9fKwsy7AphUHZJshCp4L7RJG5CvuXnAk



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close