Exploit the possiblities

Hikvision IP Camera Access Bypass

Hikvision IP Camera Access Bypass
Posted Sep 12, 2017
Authored by Monte Crypto

Hikvision IP Cameras suffers from multiple access bypass vulnerabilities.

tags | exploit, vulnerability, bypass
MD5 | 6fc12ebc93196ea83a1dbcc6864fa795

Hikvision IP Camera Access Bypass

Change Mirror Download
Access control bypass in Hikvision IP Cameras
Full disclosure
Sep 12, 2017

Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since at least 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing. In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users.

Risk and Mitigation:
The vulnerability poses a severe risk. Because the vulnerability is trivial to exploit, it is recommended that you immediately upgrade or disconnect all Hikvision products from the Internet or untrusted networks, or at least implement network access control rules that only allow trusted IP addresses to initiate connections to vulnerable devices. Keep in mind that many Hikvision IP cameras come with UPNP enabled by default and can expose themselves to the Internet automatically. Hikvision released firmware updates for many camera models where backdoor code is removed. If an update is available for your devlice, you should install it as soon as possible.

Be aware that many Hikvision cameras sold online as "Multilanguage" or "English, not upgradeable" are in fact modified Chinese-language (domestic market) cameras. Attempting to upload English firmware into such cameras could result in a boot loop that can only be recovered from by flashing original Chinese-language firmware over TFTP. If you do not understand what this paragraph says or not entirely sure that your camera is an export English-language model, do not attempt to upgrade it.

Vulnerability details:
Hikvision camera API includes support for proprietary HikCGI protocol, which exposes URI endpoints through the camera's web interface. The HikCGI protocol handler checks for the presence of a parameter named "auth" in the query string and if that parameter contains a base64-encoded "username:password" string, the HikCGI API call assumes the idntity of the specified user. The password is ignored.

Virtually all Hikvision products come with a superuser account named "admin", which can be easily impersonated. For example:

Retrieve a list of all users and their roles:

Obtain a camera snapshot without authentication:

All other HikCGI calls can be impersonated in the same way, including those that add new users or flash camera firmware. Because most Hikvision devices only protect firmware images by obfuscation, one can flash arbitrary code or render hundreds of thousands of connected devices permanently unusable with just one simple http call.

And worst of all, one can download camera configuration:

Configuration backup files, unfortunately, contain usernames and plain-text passwords for all configured users. While the files are encrypted, the encryption is easily reversible, because Hikvision chose to use a static encryption key, which is derived from the password "abcdefg". Other Hikvision products have similarly weak encryption mechanisms.

Planted backdoor or accidental bug?
Make your own judgment.

There are four handlers in a typical Hikvision camera firmware that process API requests: ISAPI, PSIA, HikCGI, and Genetec. All four contain very similar authentication and authorization code. Only one of the four (HikCGI) has an additional piece of code with a very simple logic of "if this exists, then skip all authentication". Once you understand the code flow, the backdoor code really stands out. It is nearly impossible for a piece of code that obvious to not be noticed by development or QA teams, yet it has been present for 3+ years. The vulnerability start ed to quietly disappear from hew firmware released in Jan/Feb of 2017, after Hikvision leadership made public comments that no such backdoor exists and after similar backdoors were reported in other manufacturers' products.

Hikvision indicated that it was a piece of debug code inadvertently left by one of developers.

It is plausible, that a developer forgot to remove a piece of test code and it went unnoticed for years. There are no attempts to hide the backdoor code which would certainly be expected in case of a deliberately planted backdoor. Chinese domestic market cameras contain the backdoor as well.

March 5, 2017:
Backdoor discovered.
March 6, 2017:
- Hikvision notified of the backdoor, technical details provided.
March 7. 2017:
- Hikvision confirmed vulnerability and promised firmware update.
March 12, 2017:
- Hikvision issued a memo about the vulnerability to partners.
- Hikvision started publishing firmware updates for affected devices.
May 4, 2017:
- ICS-Cert released advisory ICSA-17-124-01
Sep 11, 2017:
Vulnerability details released in the full disclosure distribution list.

HikCGI protocol:

My bitcoin address (buy me a beer):


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    11 Files
  • 21
    Feb 21st
    3 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By