| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <035701d06a62$50f18850$9b7a6fd5@pc> Date: Sun, 29 Mar 2015 23:52:09 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <fulldisclosure@...lists.org> Subject: [FD] Vulnerabilities in multiple Hikvision IP cameras and DVR Hello list! There are vulnerabilities in multiple Hikvision IP cameras and DVR. These are Abuse of Functionality and Brute Force vulnerabilities, similar to holes in Hikvision DS-7204HWI-SH, which I disclosed earlier. ------------------------- Affected vendors: ------------------------- Hikvision http://www.hikvision.com ------------------------- Affected products: ------------------------- Vulnerable are the next models with different versions of firmware: Hikvision DS-2CD2412F-IW, DS-2CD2412F-I, DS-7204HWI-SH, DS-2CD2412F-IW, DS-2CD2012-I, DS-2CD2232-I5, DS-7108HWI-SH, DS-2CD7153-E, DS-2CD2132-I, DS-2DF5284-A. Since summer I found multiple models of Hikvision cameras and regularly find new cameras with similar vulnerabilities. As Hikvision answered me at 01.03.2015, they didn't want to fix Abuse of Functionality vulnerability, but they will fix Brute Force vulnerability. New versions of firmware for different models of cameras with patch for Brute Force hole were released in the beginning of 2015. I still haven't found any Hikvision camera with such firmwares, only versions for 2014 and previous years, but developers showed me screenshot how they fixed it. ---------- Details: ---------- Abuse of Functionality (WASC-42): Login is persistent: admin (only logins for users can be changed). Which simplify Brute Force attack. Brute Force (WASC-11): In login form http://site/doc/page/login.asp there is no protection against Brute Force attacks. Which allows to pick up password (if it was changed from default). I found this and other web cameras during summer to watch terrorists activities in Donetsk and Lugansks regions of Ukraine and also I took under control web cameras in Russia (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html). I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7308/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists