Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
Adding my thanks to the great work on finding this vulnerability. One thing that has always bugged me is that I can never figure out which firmware updates to apply (USA equipment) from 2016.

My NVR is DS-716NI-SP (16 port). The effected lists here do not have a '-SP'. My cameras are 2cd2142fwd-i. Because of the confusion (and fear of bricking) I have not updated in some time and my intermittent searches have not indicated that updates exist for this older hardware.
My NVR is at V3.4.5 build 170518, and cameras are at V5.5.82 build 190220

Can anyone give me an idea if I need to update and specifically which file?
 

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
Failed to mention in prior post that my NVR is on connected to internet except for NTP. The cameras also do not see the internet.
 

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
Thanks for the updated link. My hardware is not on that list :), it seems to apply to newer hardware than I have.
I earlier posted a typo for my NVR. It's a DS-7716NI-SP (16 port), circa 2015, not a 716NI

The posted link also points to a FAQ which offered me useful info, including the fact that since it's not port forwarded and inside a LAN protected with a firewall appliance my risks are very low.
 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
251
Reaction score
226
Location
london
That's true.

And for anyone still unclear - to quote from the FAQ:

To exploit this vulnerability, an attacker must be on the same network as the vulnerable device. In other words, if the attacker is able to view the log in screen of a vulnerable device, they could attack it.

If they cannot get to the login screen of a vulnerable device, they are not able to exploit the vulnerability
 

Spirch

Getting the hang of it
Joined
Dec 7, 2018
Messages
129
Reaction score
60
Location
Canada
i didnt try on my camera but this code ... you sure this is an unintentional bug?

but wow
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
i didnt try on my camera but this code ... you sure this is an unintentional bug?

but wow
Well, you cannot be sure about anything really, but my gut-feeling this is not intentional - however, maybe this is how it supposed to be, who really knows ?
Anyhow, I've checked a "fixed" version, and there are filtering now, still the URI and "language" tags are there, for what purpose - I really don't know.

Still, very interesting vulnerability, and extremely convenient one for performing additional researches.
 

Spirch

Getting the hang of it
Joined
Dec 7, 2018
Messages
129
Reaction score
60
Location
Canada
Read the explanations linked to in post #1 that covers this.
i read everything

this kind of bug is something that a beginner / coop student would make and the fact that (if there is any team) QA and code reviewer didnt catch that is weird

all the stars were aligned
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
i read everything

this kind of bug is something that a beginner / coop student would make and the fact that (if there is any team) QA and code reviewer didnt catch that is weird

all the stars were aligned
I have seen this kind of bugs a lot, more times than I can remember...

All falls down on one stupid 'system()' call.

'system()' should never have any kind of user provided input, (filtered or not) period.
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
I have seen this kind of bugs a lot, more times than I can remember...

All falls down on one stupid 'system()' call.

'system()' should never have any kind of user provided input, (filtered or not) period.
Anyhow, thanks to @watchful_ip report, it were quite obvious it was 'system()' involved, and limited command injection (as per his/her PoC of /etc/passwd), pretty easy to find the 'system()' call with user provided input (actually only one candidate what I saw), little searching with what URI, and then some additional searching for right XML tag (thanks Hik, for your debug note), then test it with 'reboot()' to confirm.
 

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
You can verify your cams now, PoC here
This didn't work using an iMac. Later I'll fire up my linux machine and try again. Admittedly I'm not proficient in this sort of stuff and additionally may have incorrectly installed Python3 on my Mac.
I named the file hikvision.py rather than the name presented at GitHub.
Python3 hikvision.py --rhost 192.168.x.x --rport8080 --check

Traceback (most recent call last):

File "hikvision.py", line 66, in <module>

import requests

ModuleNotFoundError: No module named 'requests'
 

SamM

Pulling my weight
Joined
Mar 29, 2020
Messages
245
Reaction score
109
Location
SA
This didn't work using an iMac. Later I'll fire up my linux machine and try again. Admittedly I'm not proficient in this sort of stuff and additionally may have incorrectly installed Python3 on my Mac.
I named the file hikvision.py rather than the name presented at GitHub.
Python3 hikvision.py --rhost 192.168.x.x --rport8080 --check

Traceback (most recent call last):

File "hikvision.py", line 66, in <module>

import requests

ModuleNotFoundError: No module named 'requests'
open terminal window
then run "pip install requests"

This should solve it on your mac
 

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
Thanks. Result is "cannot establish connection". :)

As expected, all is good.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Thanks. Result is "cannot establish connection". :)

As expected, all is good.
I suspect that you have a network connectivity issue with the target.

Below is a worked example of the PoC tool operating.

In the first attempt at the 192.168.1.64 target, the camera is powered off, so there is the error 'Cannot establish connection ...'
In the remaining 3 tests, the targets are live.
Code:
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[-] Cannot establish connection to "192.168.1.64:80"
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.112  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.112:80"
[i] ETag: "e69-258-601f845c"
[!] Remote is verified exploitable
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.111  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.111:80"
[i] ETag: "468-258-5e6f4e77"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64  --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "306-258-5e17dd7b"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
The python script does not let me logon to shell after the first attempt. Had to alter the script to get it to let me login to shell repeatedly.

Not played with it much yet lol

Well done @bashis
 
Last edited:

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
The python script does not let me logon to shell after the first attempt. Had to alter the script to get it to let me login to shell repeatedly.
Would be interesting to know why, but I guess you comment out "remote.send(query_args='cat N>webLib/N')" ?
(I put the whole 'already pwn' check there to not have multiple same entry in (my) /etc/passwd)
 
Top