[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Access control bypass in Hikvision IP Cameras
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Access control bypass in Hikvision IP Cameras
- From: Monte Crypto <mc_noreply@xxxxxxxxxxxxx>
- Date: Tue, 12 Sep 2017 04:19:00 +0200 (CEST)
Access control bypass in Hikvision IP Cameras
Full disclosure
Sep 12, 2017
Synopsis:
---------------
Many Hikvision IP cameras contain a backdoor that allows unauthenticated
impersonation of any configured user account. The vulnerability has been
present in Hikvision products since at least 2014. In addition to
Hikvision-branded devices, it affects many white-labeled camera products sold
under a variety of brand names. Hundreds of thousands of vulnerable devices are
still exposed to the Internet at the time of publishing. In addition to gaining
full administrative access, the vulnerability can be used to retrieve
plain-text passwords for all configured users.
Risk and Mitigation:
--------------------
The vulnerability poses a severe risk. Because the vulnerability is trivial to
exploit, it is recommended that you immediately upgrade or disconnect all
Hikvision products from the Internet or untrusted networks, or at least
implement network access control rules that only allow trusted IP addresses to
initiate connections to vulnerable devices. Keep in mind that many Hikvision IP
cameras come with UPNP enabled by default and can expose themselves to the
Internet automatically. Hikvision released firmware updates for many camera
models where backdoor code is removed. If an update is available for your
devlice, you should install it as soon as possible.
Be aware that many Hikvision cameras sold online as "Multilanguage" or
"English, not upgradeable" are in fact modified Chinese-language (domestic
market) cameras. Attempting to upload English firmware into such cameras could
result in a boot loop that can only be recovered from by flashing original
Chinese-language firmware over TFTP. If you do not understand what this
paragraph says or not entirely sure that your camera is an export
English-language model, do not attempt to upgrade it.
Vulnerability details:
----------------------
Hikvision camera API includes support for proprietary HikCGI protocol, which
exposes URI endpoints through the camera's web interface. The HikCGI protocol
handler checks for the presence of a parameter named "auth" in the query string
and if that parameter contains a base64-encoded "username:password" string, the
HikCGI API call assumes the idntity of the specified user. The password is
ignored.
Virtually all Hikvision products come with a superuser account named "admin",
which can be easily impersonated. For example:
Retrieve a list of all users and their roles:
http://camera.ip/Security/users?auth=YWRtaW46MTEK
Obtain a camera snapshot without authentication:
http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK
All other HikCGI calls can be impersonated in the same way, including those
that add new users or flash camera firmware. Because most Hikvision devices
only protect firmware images by obfuscation, one can flash arbitrary code or
render hundreds of thousands of connected devices permanently unusable with
just one simple http call.
And worst of all, one can download camera configuration:
http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK
Configuration backup files, unfortunately, contain usernames and plain-text
passwords for all configured users. While the files are encrypted, the
encryption is easily reversible, because Hikvision chose to use a static
encryption key, which is derived from the password "abcdefg". Other Hikvision
products have similarly weak encryption mechanisms.
Planted backdoor or accidental bug?
-----------------------------------
Make your own judgment.
There are four handlers in a typical Hikvision camera firmware that process API
requests: ISAPI, PSIA, HikCGI, and Genetec. All four contain very similar
authentication and authorization code. Only one of the four (HikCGI) has an
additional piece of code with a very simple logic of "if this exists, then skip
all authentication". Once you understand the code flow, the backdoor code
really stands out. It is nearly impossible for a piece of code that obvious to
not be noticed by development or QA teams, yet it has been present for 3+
years. The vulnerability start ed to quietly disappear from hew firmware
released in Jan/Feb of 2017, after Hikvision leadership made public comments
that no such backdoor exists and after similar backdoors were reported in other
manufacturers' products.
Hikvision indicated that it was a piece of debug code inadvertently left by one
of developers.
It is plausible, that a developer forgot to remove a piece of test code and it
went unnoticed for years. There are no attempts to hide the backdoor code which
would certainly be expected in case of a deliberately planted backdoor. Chinese
domestic market cameras contain the backdoor as well.
Timeline:
---------------
March 5, 2017:
Backdoor discovered.
March 6, 2017:
- Hikvision notified of the backdoor, technical details provided.
March 7. 2017:
- Hikvision confirmed vulnerability and promised firmware update.
March 12, 2017:
- Hikvision issued a memo about the vulnerability to partners.
- Hikvision started publishing firmware updates for affected devices.
May 4, 2017:
- ICS-Cert released advisory ICSA-17-124-01
Sep 11, 2017:
Vulnerability details released in the full disclosure distribution list.
References:
------------
HikCGI protocol:
http://www.Hikvisioneurope.com/portal/?dir=portal/Integration%20and%20Development%20Materials/03--Protocol/01--HIKCGI%20Protocol
My bitcoin address (buy me a beer):
1N9fKwsy7AphUHZJshCp4L7RJG5CvuXnAk
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/