Vulnerabilities in Hikvision DS-7204HWI-SH

["MustLive" <mustlive () websecurity com ua>]

Hello list!

There are Abuse of Functionality and Brute Force vulnerabilities in 
Hikvision DS-7204HWI-SH.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: Hikvision DS-7204HWI-SH with different 
versions of firmware.

----------
Details:
----------

Abuse of Functionality (WASC-42):

Login is persistent: admin (only logins for users can be changed). Which 
simplify Brute Force attack.

Brute Force (WASC-11):

In login form http://site/doc/page/login.asp there is no protection against 
Brute Force attacks. Which allows to pick up password (if it was changed 
from default).

I found this and other web cameras during summer to watch terrorists 
activities in Donetsk and Lugansks regions of Ukraine and also I took under 
control web cameras in Russia 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html).

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/7272/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/