what you don't know can hurt you

Hikvision IP Camera Access Bypass

Hikvision IP Camera Access Bypass
Posted Sep 12, 2017
Authored by Monte Crypto

Hikvision IP Cameras suffers from multiple access bypass vulnerabilities.

tags | exploit, vulnerability, bypass
MD5 | 6fc12ebc93196ea83a1dbcc6864fa795

Hikvision IP Camera Access Bypass

Change Mirror Download
Access control bypass in Hikvision IP Cameras
Full disclosure
Sep 12, 2017

Synopsis:
---------------
Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since at least 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing. In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users.

Risk and Mitigation:
--------------------
The vulnerability poses a severe risk. Because the vulnerability is trivial to exploit, it is recommended that you immediately upgrade or disconnect all Hikvision products from the Internet or untrusted networks, or at least implement network access control rules that only allow trusted IP addresses to initiate connections to vulnerable devices. Keep in mind that many Hikvision IP cameras come with UPNP enabled by default and can expose themselves to the Internet automatically. Hikvision released firmware updates for many camera models where backdoor code is removed. If an update is available for your devlice, you should install it as soon as possible.

Be aware that many Hikvision cameras sold online as "Multilanguage" or "English, not upgradeable" are in fact modified Chinese-language (domestic market) cameras. Attempting to upload English firmware into such cameras could result in a boot loop that can only be recovered from by flashing original Chinese-language firmware over TFTP. If you do not understand what this paragraph says or not entirely sure that your camera is an export English-language model, do not attempt to upgrade it.


Vulnerability details:
----------------------
Hikvision camera API includes support for proprietary HikCGI protocol, which exposes URI endpoints through the camera's web interface. The HikCGI protocol handler checks for the presence of a parameter named "auth" in the query string and if that parameter contains a base64-encoded "username:password" string, the HikCGI API call assumes the idntity of the specified user. The password is ignored.

Virtually all Hikvision products come with a superuser account named "admin", which can be easily impersonated. For example:

Retrieve a list of all users and their roles:
http://camera.ip/Security/users?auth=YWRtaW46MTEK

Obtain a camera snapshot without authentication:
http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK


All other HikCGI calls can be impersonated in the same way, including those that add new users or flash camera firmware. Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code or render hundreds of thousands of connected devices permanently unusable with just one simple http call.

And worst of all, one can download camera configuration:
http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK

Configuration backup files, unfortunately, contain usernames and plain-text passwords for all configured users. While the files are encrypted, the encryption is easily reversible, because Hikvision chose to use a static encryption key, which is derived from the password "abcdefg". Other Hikvision products have similarly weak encryption mechanisms.


Planted backdoor or accidental bug?
-----------------------------------
Make your own judgment.

There are four handlers in a typical Hikvision camera firmware that process API requests: ISAPI, PSIA, HikCGI, and Genetec. All four contain very similar authentication and authorization code. Only one of the four (HikCGI) has an additional piece of code with a very simple logic of "if this exists, then skip all authentication". Once you understand the code flow, the backdoor code really stands out. It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years. The vulnerability start ed to quietly disappear from hew firmware released in Jan/Feb of 2017, after Hikvision leadership made public comments that no such backdoor exists and after similar backdoors were reported in other manufacturers' products.

Hikvision indicated that it was a piece of debug code inadvertently left by one of developers.

It is plausible, that a developer forgot to remove a piece of test code and it went unnoticed for years. There are no attempts to hide the backdoor code which would certainly be expected in case of a deliberately planted backdoor. Chinese domestic market cameras contain the backdoor as well.


Timeline:
---------------
March 5, 2017:
Backdoor discovered.
March 6, 2017:
- Hikvision notified of the backdoor, technical details provided.
March 7. 2017:
- Hikvision confirmed vulnerability and promised firmware update.
March 12, 2017:
- Hikvision issued a memo about the vulnerability to partners.
- Hikvision started publishing firmware updates for affected devices.
May 4, 2017:
- ICS-Cert released advisory ICSA-17-124-01
Sep 11, 2017:
Vulnerability details released in the full disclosure distribution list.


References:
------------
HikCGI protocol:
http://www.Hikvisioneurope.com/portal/?dir=portal/Integration%20and%20Development%20Materials/03--Protocol/01--HIKCGI%20Protocol

My bitcoin address (buy me a beer):
1N9fKwsy7AphUHZJshCp4L7RJG5CvuXnAk



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    5 Files
  • 2
    Sep 2nd
    5 Files
  • 3
    Sep 3rd
    3 Files
  • 4
    Sep 4th
    13 Files
  • 5
    Sep 5th
    16 Files
  • 6
    Sep 6th
    15 Files
  • 7
    Sep 7th
    20 Files
  • 8
    Sep 8th
    16 Files
  • 9
    Sep 9th
    4 Files
  • 10
    Sep 10th
    2 Files
  • 11
    Sep 11th
    15 Files
  • 12
    Sep 12th
    19 Files
  • 13
    Sep 13th
    20 Files
  • 14
    Sep 14th
    38 Files
  • 15
    Sep 15th
    31 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    7 Files
  • 18
    Sep 18th
    15 Files
  • 19
    Sep 19th
    40 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close