Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilities in multiple Hikvision IP cameras and DVR

From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 29 Mar 2015 23:52:09 +0300
Hello list!

There are vulnerabilities in multiple Hikvision IP cameras and DVR.
These are Abuse of Functionality and Brute Force vulnerabilities, similar to holes in Hikvision DS-7204HWI-SH, which I disclosed earlier. 

-------------------------
Affected vendors:
-------------------------

Hikvision
http://www.hikvision.com

-------------------------
Affected products:
-------------------------
Vulnerable are the next models with different versions of firmware: Hikvision DS-2CD2412F-IW, DS-2CD2412F-I, DS-7204HWI-SH, DS-2CD2412F-IW, DS-2CD2012-I, DS-2CD2232-I5, DS-7108HWI-SH, DS-2CD7153-E, DS-2CD2132-I, DS-2DF5284-A. Since summer I found multiple models of Hikvision cameras and regularly find new cameras with similar vulnerabilities.
As Hikvision answered me at 01.03.2015, they didn't want to fix Abuse of Functionality vulnerability, but they will fix Brute Force vulnerability. New versions of firmware for different models of cameras with patch for Brute Force hole were released in the beginning of 2015. I still haven't found any Hikvision camera with such firmwares, only versions for 2014 and previous years, but developers showed me screenshot how they fixed it. 

----------
Details:
----------

Abuse of Functionality (WASC-42):
Login is persistent: admin (only logins for users can be changed). Which simplify Brute Force attack. 

Brute Force (WASC-11):
In login form http://site/doc/page/login.asp there is no protection against Brute Force attacks. Which allows to pick up password (if it was changed from default).
I found this and other web cameras during summer to watch terrorists activities in Donetsk and Lugansks regions of Ukraine and also I took under control web cameras in Russia (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html).
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7308/). 

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: