|Web Interface Login Page|
|Web Interface Logged In|
|iDMSS Mobile App|
|Serial Number Request|
|Serial Number Response|
|Camera Channels Request|
|Camera Channels Response|
|DVR User Group Request|
|DVR User Group Response|
|DVR Users Request|
|DVR Users Response|
|Email Settings Request|
|Email Settings Response|
|DDNS Settings Request|
|DDNS Settings Response|
|NAS (FTP) Settings Request|
|NAS (FTP) Settings Response|
|Reset "admin" Password to "abc123" Request|
Well at least the device logs user activity by IP address. Can we clear the logs to cover our tracks? Absolutely.
|Clear Logs Request|
As I was researching this, I found some other disturbing things about Dahua DVRs. I found that the DVRs are shipped with telnet enabled and a static root password. Since the DVRs use a read-only file system, it's not simple to change that password. What's more, other folks had been researching Dahua DVRs at approximately the same time as I. They found issues like:
- The static root password I mentioned above
- Other backdoor accounts exist, including one with a revolving password that is a simple date hash.
- UPnP requests from untrusted addresses is supported and could be used to get publicly accessible telnet on a DVR.
- Passwords are limited to 6 chars.
- A weak 48-bit hash is utilized to protect DVR account passwords. (I'd like to know what this is so I can try cracking them)
- Scans one or more addresses for a given port to identify Dahua DVRs
- Gets the firmware version
- Gets the serial number
- Gets the email settings (includes username, SMTP server, and cleartext creds)
- Gets the DDNS settings (includes the DDNS service, server, and cleartext creds)
- Gets the FTP (NAS) settings (again, cleartext creds)
- Gets the DVR users (username, group membership, and hashed passwords)
- Gets the user groups (group name, description, etc)
- Gets the channels (camera channel names, e.g. “bedroom” “cocina”)
- Stores any creds and services in the MSF "creds" or "services" database
- Clear the logs
- Change a given user account's password (unauthorized access)
|Metasploit Module Exploitation Page 1|
|Metasploit Module Exploitation Page 2|
|Metasploit Module Credential Storage|
Just clone the repo (git clone https://github.com/depthsecurity/dahua_dvr_auth_bypass.git) and then move the .rb file to your modules directory (e.g. /root/.msf4/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb)
If anyone wants to contribute to making this better / getting it included in the Metasploit repo, let me know. Some future options I'd like to add are:
- Check for telnet and utilize known default root password to gain telnet shell
- Issue UPNP request to open telnet to public access, then get telnet shell
- Check retrieved hashes for known default hash values (888888, 666666, admin, etc)
- Identify DVR password hash mechanism for cracking in JTR
- Stabalize across Dahua versions
The best advice for now is to make sure these devices are not publicly accessible to the internet. Dahua initially stated they would work on fixing the issues but went radio silent afterwards.
- 8/26/2013: Identified authorization flaw
- 8/27/2013: Wrote proof of concept tool/scanner
- 8/28/2013: Disclosed issue to Dahua
- 8/30/2013: Received initial response from Dahua including request for more info
- 8/30/2013: Responded to Dahua with requested info
- 9/2/2013: Received confirmation that Dahua R&D is working to fix the issue
- 10/2/2013: Requested status update from Dahua
- 10/10/2013: Re-requested status update from Dahua after no response from 10/2/2013.
- 11/13/2013: Publicly disclosed vulnerability on Bugtraq and presented at SecKC November meeting.