New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hikvision Unauthenticated RCE (CVE-2021-36260) #16204
Hikvision Unauthenticated RCE (CVE-2021-36260) #16204
Conversation
documentation/modules/exploit/linux/http/hikvision_cve_2021_36260_blind.md
Outdated
Show resolved
Hide resolved
Addressed @bwatters-r7 comments. Also realized I didn't randomize the replaced filename, so I went ahead and did that. I can post a new pcap if desired, but for now, everything appears to still work.
|
Could I get a new pcap for just the bind shell? |
Attached! |
Release NotesThis module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user. |
Description
This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the
/SDK/webLanguage
endpoint, resulting in command execution as theroot
user.This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.
Background
Shodan shows there are approximately 3 million internet facing Hikvision cameras. While only a subset of cameras are affected, that still indicates a very large amount of vulnerable systems out in the world.
This vulnerability was reportedly added to the Moobot botnet in December, and continues to be actively exploited. Interestingly, some exploits seen in the wild would not actually work against my test target because their payloads are much too large (indicating variations of the vulnerability across different firmware).
Implementation Oddities
The injection space, in the worst case, is very small. The
snprintf
that builds the vulnerable string only allows for 0x1f bytes and the format string is:/dav/%s.tar.gz
Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately,
snprintf
will let us reclaim '.tar.gz'. So in reality, there are 26 bytes for our payload. We need 3 bytes to invoke our injection: $(). Leaving 23 bytes for payload. The 'echo' stager has a minimum of 26 bytes but we obviously don't have that much space. We can steal the extra space from the "random" file name and compress ' >> ' to '>>'. That will get us below 23. Squeezing the extra bytes will also allow printf stager to do more than 1 byte per exploitation.Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/http/hikvision_cve_2021_36260_blind
set RHOST <ip>
check
set LHOST <ip>
exploit
PCAPS || GFTO
Two pcaps: one for the bind shell and one for reverse tcp stager.
hikvision_metasploit.zip
Video || GTFO
https://www.youtube.com/watch?v=3NzdQxqZJqc