full-disclosure - [FD] Vulnerabilities in Hikvision DS-7204HWI-SH

Open Source and information security mailing list archives

Date: Sat, 28 Feb 2015 23:51:23 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<fulldisclosure@...lists.org>
Subject: [FD] Vulnerabilities in Hikvision DS-7204HWI-SH

Hello list!

There are Abuse of Functionality and Brute Force vulnerabilities in 
Hikvision DS-7204HWI-SH.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: Hikvision DS-7204HWI-SH with different 
versions of firmware.

----------
Details:
----------

Abuse of Functionality (WASC-42):

Login is persistent: admin (only logins for users can be changed). Which 
simplify Brute Force attack.

Brute Force (WASC-11):

In login form http://site/doc/page/login.asp there is no protection against 
Brute Force attacks. Which allows to pick up password (if it was changed 
from default).

I found this and other web cameras during summer to watch terrorists 
activities in Donetsk and Lugansks regions of Ukraine and also I took under 
control web cameras in Russia 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html).

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/7272/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives