Title:
Multiple DVR/CCTV/IPcam Manufacturers web interface admin-level hardcoded 'backdoor' - Hunt, Huntelec plus around 40 vendors customizing Hunt products
References:
ACSA-2013-009
CVE-2013-5652
Timeline:
xx Mar 2011 - Vulnerability discovered
30 Aug 2013 - CVE assignment by CVE@Mitre
17 Oct 2013 - First try to get vendor's security contact
24 Oct 2013 - Second try to get vendor's security contact
25 Oct 2013 - Vendor security contact responds
27 Oct 2013 - Vulnerability details submitted to the vendor
05 Nov 2013 - Follow-up with the vendor
13 Nov 2013 - Follow-up with the vendor, details resubmitted, fix and disclosure timeline proposed to the vendor
19 Nov 2013 - Follow-up with the vendor
20 Nov 2013 - Follow-up with the vendor
21 Nov 2013 - Vendor replies "Actually the universal password requirement was get form our customer. We didn't used it form beginning. We are doing a big improve in the new product. Thank you for your kindly reply."
21 Nov 2013 - Fix and disclosure timeline proposed to the vendor (also, as part of ACSA-2013-022)
22 Nov 2013 - Vendor replies "Hunt is a ODM manufacture , if we hope to do any change. We need to let our customer know. I will let them know it. When we get the response we will let you know our solution."
13 Dec 2013 - Follow-up with the vendor
12 Oct 2014 - Public disclosure
Related references:
ACSA-2013-022
CVE-2013-1391
Author:
Andrei Costin of "FIRMWARE.RE" project
andrei@firmware.re
andrei@andreicostin.com
Vulnerability discovered using "FIRMWARE.RE" platform/service
Vendors (main, white-label):
Hunt (http://www.hunt.com.tw/)
Vendors (customizing/marketing, by firmware code):
SV:
SVAT (http://svat.com)
ES:
http://www.oceancctv.com.tw/mypage.php?id=2
AZ:
http://www.cctvthailand.com/index.php?mo=21&list&hotdownload&p=4
http://hiview.igetweb.com/index.php?mo=21&list&newreleases&p=7
http://webcache.googleusercontent.com/search?q=cache:m-OAI7hvGRwJ:www.hiview.co.th/index.php%3Fmo%3D21%26list%26catid%3D7946+&cd=1&hl=en&ct=clnk&gl=fr&client=ubuntu
LI:
http://www.meritlilin.com/en/support-download.asp?c3#c3
http://www.lilin.tv/downloads
http://www.lilin.co.uk/
http://www.meritlilin.com/en/livedemo.asp
https://www.google.fr/search?client=ubuntu&channel=fs&q="LI2.1.93"
https://www.google.fr/search?client=ubuntu&channel=fs&q=DVR216-LI2.1.93.zip
http://www.generalfiles.biz/download/gs497df0ddh32i0/DVR216.zip.html
Affected firmware:
The list of affected firmwares is attached (470 unique software version, across approx 42 vendors deriving from hunt.com.tw generic/white-label brand)
AM1.1.17
AM1.1.42
AM1.1.45
AM1.1.52
AM1.1.62
AM1.1.67
AM1.1.69
AM1.1.72
AM2.1.75
AZ1.1.17
AZ1.1.20
AZ1.1.24
AZ1.1.26
AZ1.1.29
AZ1.1.45
AZ1.1.50
AZ1.1.61
AZ1.1.67
AZ1.1.68
AZ1.1.70
AZ1.1.80
AZ2.1.71
AZ2.1.72
AZ2.1.76
AZ2.1.77
AZ2.1.78
AZ2.1.81
AZ2.1.92
CO1.1.16
CO1.1.41
CO1.1.52
CO1.1.65
CO1.1.68
D1.1.12
D1.1.15
D1.1.17
D1.1.22
D1.1.28
D1.1.36
D1.1.39
D1.1.43
D1.1.45
D1.1.61
D1.1.62
D1.1.67
D1.1.70
D2.1.71
D2.1.76
ER1.1.22
ER1.1.24
ER1.1.52
ER1.1.54
ER1.1.61
ER2.1.72
ER2.1.74
ER2.1.80
ES1.1.16
ES1.1.17
ES1.1.18
ES1.1.38
ES1.1.40
ES1.1.42
ES1.1.43
ES1.1.45
ES1.1.46
ES1.1.49
ES1.1.51
ES1.1.52
ES1.1.54
ES1.1.55
ES1.1.57
ES1.1.59
ES1.1.61
ES1.1.63
ES1.1.65
ES1.1.67
ES1.1.68
ES1.1.69
ES1.1.70
ES1.1.71
ES1.1.74
ES1.1.75
ES1.1.76
ES1.1.90
ES2.1.71
ES2.1.72
ES2.1.73
ES2.1.74
ES2.1.75
ES2.1.76
ES2.1.77
ES2.1.80
ES2.1.81
ES2.1.90
ES2.1.92
F1.1.23
F1.1.25
F1.1.29
F1.1.30
F1.1.32
F1.1.33
F1.1.35
F1.1.39
F1.1.43
F1.1.45
F1.1.48
F1.1.49
F1.1.52
F1.1.53
F1.1.60
F1.1.63
F1.1.66
F1.1.67
F1.1.69
F1.1.70
F1.1.72
F2.1.71
FO1.1.19
FO1.1.49
FO1.1.69
FO2.1.79
H1.1.27
HM1.1.51
HM1.1.70
HM2.1.72
HM2.1.77
I1.1.14
I1.1.17
I1.1.32
I1.1.35
I1.1.42
I1.1.47
I1.1.60
I1.1.61
I1.1.68
I1.1.74
I2.1.75
I2.1.81
IA2.1.80
IA2.1.81
K1.1.40
K1.1.41
K1.1.45
K1.1.50
K1.1.55
K1.1.60
K1.1.68
K1.1.75
K2.1.80
KB1.1.45
KU1.1.55
KU1.1.75
KU2.1.80
L1.1.42
L1.1.48
L1.1.61
LI1.1.21
LI1.1.22
LI1.1.25
LI1.1.26
LI1.1.27
LI1.1.28
LI1.1.29
LI1.1.30
LI1.1.42
LI1.1.49
LI1.1.51
LI1.1.55
LI1.1.56
LI1.1.57
LI1.1.59
LI1.1.61
LI1.1.63
LI1.1.64
LI1.1.73
LI1.1.74
LI2.1.71
LI2.1.75
LI2.1.76
LI2.1.77
LI2.1.78
LI2.1.80
LI2.1.81
LI2.1.90
LI2.1.93
LW1.1.32
LW2.0.02
LW2.0.03
LW2.0.04
LW2.0.05
LW2.0.06
LW2.0.15
LW3.0.04
LW3.0.05
LW3.0.07
M1.1.48
M1.1.60
M1.1.65
N1.1.49
N1.1.51
N1.1.52
N1.1.57
N1.1.61
N1.1.65
N1.1.69
N1.1.78
N1.1.79
N2.1.79
PE1.1.55
PE1.1.69
PE2.1.77
PR1.1.51
PR1.1.52
PR1.1.54
Q1.1.55
Q1.1.64
QF1.1.62
QF1.1.64
RO1.1.16
RO1.1.17
RO1.1.39
RO1.1.45
RO1.1.55
RO1.1.67
RO2.1.71
S1.1.39
SA1.1.17
SA1.1.18
SA1.1.24
SA1.1.25
SA1.1.28
SA1.1.30
SA1.1.45
SA1.1.48
SA1.1.55
SA1.1.59
SA1.1.61
SA1.1.67
SA1.1.69
SA1.1.70
SA1.1.80
SA1.1.85
SA2.1.81
SG1.1.17
SG1.1.19
SG1.1.28
SG1.1.69
SG2.1.71
SI1.1.38
SI1.1.39
SI1.1.45
SI1.1.54
SV1.1.46
SV1.1.51
SV1.1.52
SV1.1.68
SV1.1.71
SV1.1.74
SV2.1.71
SV2.1.74
SV2.1.81
SV3.1.72
SV3.1.74
TO1.1.17
TO1.1.49
TO1.1.50
TO1.1.52
TO1.1.55
TO1.1.61
TO1.1.69
TO1.1.70
TO1.1.75
TO2.1.71
TO2.1.72
TO2.1.80
TO2.1.90
TY1.1.20
TY1.1.50
TY1.1.70
TY2.1.70
TY2.1.71
TY3.1.75
U1.1.45
U1.1.67
UK1.1.67
UK1.1.74
UK2.1.72
UK2.1.77
V1.1.09
V1.1.12
V1.1.14
V1.1.15
V1.1.16
V1.1.17
V1.1.19
V1.1.20
V1.1.21
V1.1.22
V1.1.22ND
V1.1.23
V1.1.24
V1.1.24ND
V1.1.25
V1.1.26
V1.1.27
V1.1.28
V1.1.28ND
V1.1.29
V1.1.31
V1.1.33
V1.1.35
V1.1.38
V1.1.39
V1.1.40
V1.1.41
V1.1.42
V1.1.43
V1.1.45
V1.1.48
V1.1.49
V1.1.50
V1.1.51
V1.1.52
V1.1.52ND
V1.1.53
V1.1.53ND
V1.1.54
V1.1.54ND
V1.1.55
V1.1.57
V1.1.58
V1.1.60
V1.1.61
V1.1.61ND
V1.1.62
V1.1.65
V1.1.66
V1.1.67
V1.1.68
V1.1.69
V1.1.69D
V1.1.70
V1.1.71
V1.1.72
V1.1.73
V1.1.74
V1.1.75ND
V1.1.77
V1.1.78D
V1.1.80
V1.1.80ND
V1.1.81
V1.1.90
V1.1.90ND
V1.1.92ND
V1.47
V1.48
V1.50
V1.51
V2.0.04
V2.0.15
V2.1.69
V2.1.71
V2.1.71ND
V2.1.72
V2.1.72ND
V2.1.74
V2.1.74ND
V2.1.75
V2.1.75ND
V2.1.77
V2.1.77ND
V2.1.80
V2.1.80ND
V2.1.81
V2.1.81ND
V2.1.83
V2.1.84
V2.1.90
V2.1.90ND
V2.1.92
V2.1.92ND
V3.1.72ND
V3.1.74ND
V3.1.75ND
V3.1.77ND
V3.1.79ND
V3.1.80
V3.1.90
V3.1.90ND
V3.1.92ND
VA1.1.28
VA2.1.79
VY1.1.66ND
VY1.1.71ND
VY1.1.72NDS
VY1.1.73ND
W1.1.39
WT1.1.22
WT1.1.28
WT1.1.45
WT1.1.46
WT1.1.49
WT1.1.52
WT1.1.58
WT1.1.61
WT1.1.62
WT1.1.70
WT2.1.72
WT2.1.75
WT2.1.79
X1.1.100
X1.1.94
Y1.1.07
Y1.1.09
Y1.1.13
Y1.1.14
Y1.1.16
Y1.1.17
Y1.1.18
Y1.1.19
Y1.1.25
Y1.1.35
Y1.1.38
Y1.1.39
Y1.1.40
Y1.1.42
Y1.1.43
Y1.1.45
Y1.1.49
Y1.1.50
Y1.1.52
Y1.1.54
Y1.1.55
Y1.1.60
Y1.1.61
Y1.1.62
Y1.1.65
Y1.1.66
Y1.1.68
Y1.1.69
Y1.1.70
Y1.1.74
Y1.1.75
Y1.1.90
Y2.1.70
Y2.1.71
Y2.1.72
Y2.1.74
Y2.1.75
Y2.1.77
Y2.1.80
Y2.1.81
YP1.1.17
YP1.1.18
YP1.1.32
YP1.1.40
YP1.1.45
YP1.1.47
YP1.1.48
YP1.1.49
YP1.1.50
YP1.1.52
YP1.1.55
YP1.1.66
YP1.1.67
YP1.1.68
YP1.1.73
YP2.1.70
YP2.1.74
Vulnerability details:
The affected firmwares allow an authorized user to access the devices with
FULL ADMIN privileges via the web interface using the following credentials
Username: 5759
Password: 3297
These passwords are hardcoded in the binary code of the 'dvr'
application/web-server running on the devices.
The backdoor is supposedly intended for situations such as
'forgotten admin password reset'. However it can be easily used by
malicious attackers to completely compromise the security and privacy
of the victim.
There is no patch known to date.
The workaround would be to block HTTP requests
containing "NTc1OTozMjk3" which stands for base64("5759:3297") as in
HTTP Basic Authorization using these credentials.
Shodan dork: Basic realm="DVR" server: httpd -mini
About the author/project:
Firmware.RE is part of the Firmware Genome Project.
Firmware.RE is a free online service that:
- unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
- facilitates firmware mounting, modification, loading and emulation.
- facilitates firmware vulnerability and backdoor discovery.
- helps secure your embedded and internet-of-things devices.
