Subscriber Discussion

Dahua Backdoor Patch Creates A New User "Null"

GM
Greg Masters
Mar 28, 2017

SIDE-EFFECT of firmware patch:  It appears the patch affects the user cred file (you know what it is) in a malformed way, if you look at your user account page you will see a new user "null" added.  While we tried deleting it, that was unsuccessful.  Also another user management app which I am told uses Dahua's protocols was unsuccessful.

I don't think (am unsure, actually) this is a risk but it is uncomfortable.  Since telnet is disabled (and can't be reenabled with the http API url) we can't directly edit the account file.  Serial access might work but its too much of a hassle and requires physical access to the camera....my curiosity might get the better of me on this.

ANYONE know how to "delete" this "user"?  Is this any risk to leaving as-is?

This is confirmed on "S" series PTZ. 

 

remove nulluser

NOTICE: This comment was moved from an existing discussion: Dahua Backdoor Uncovered

JH
John Honovich
Mar 28, 2017
IPVM

Coped this to its own post so it can be discussed directly.

Below copying responses so far:

#U6

Sure, it's probably script bug while messing with the user database... (most probably old default admin account that they tried to wipe out)

Can you edit the user? Set password at least?

Most probably the login name that contains nothing (aka empty login name), and the GUI shows "null", could even be so that the password is the same. So, it could be no login and password.

If you can set password on that account you should be fine, think it would be bad if you could not..

Greg Masters:

Hello, modifying that "user" is unsuccessful. I had tried to set a password, or at least remove from admin group, besides deleting the "user".

At least user: "blank" pass: "blank" does not appear to work.

Thanks for your comments

#U6:

Think you should report it to cybersecurity@dahuatech.com soonest

UM
Undisclosed Manufacturer #1
Mar 28, 2017

After applying the update, have you tried to factory default the camera, and then see what users are in the database?

GM
Greg Masters
Mar 28, 2017

Yes, we just tried to default the camera.  Networking and users were left unchanged. IP's, ports, users, passwords, services....nothing was changed there.  All presets, profiles, video parameters were lost or defaulted.     See screenshot.  "null" user remains.  Strange......

GM
Greg Masters
Mar 28, 2017

I guess its time to dig deeper into the Http API docs.  Maybe there is a more robust "default" string which can be sent which will affect the main process and not just the PTZ.

RS
Robert Shih
Mar 28, 2017
Independent

You're probably going to need a "deeper" default to delete the settings since the new firmware is a bit...weird. Try serial com to run the config delete commands.

Newer devices are less affected by the change over to the new user credential management scheme.

GM
Greg Masters
Mar 30, 2017

Thanks for your suggestion.  For obvious reasons we are trying to avoid hardware reset/serial (physical) access to these installs...but my curiosity will get the better of me. (;-)

UE
Undisclosed End User #2
Mar 29, 2017

Any new news?

UE
Undisclosed End User #2
Mar 28, 2017

Not strange at all actually, they trying to wipe three accounts at startup, so it's surely a bug in their scripting.

U
Undisclosed #3
Mar 28, 2017
UE
Undisclosed End User #2
Mar 28, 2017

No, it's more like ;)

if [ -Z $line ];then
echo "NULL string"
exit

U
Undisclosed #4
Mar 28, 2017
IPVMU Certified

fi 

KJ
Kenny Johnson
Apr 04, 2017

Where did you get this back door patch?  How do you find out which machines need it or can take it?

Thanks

GM
Greg Masters
Apr 04, 2017

Kenny:

Poor choice of words on my part.  Dahua, as of now, is not releasing new firmware with *new* version numbers which have closed the March, 2017 backdoor vulnerability. They have been releasing edited, or "patched" versions of the previous firmware, which retains the same (older) version date.

Its another discussion why they don't identify firmware with the fixed bug with an entirely new or later version date.

So in computerspeak the newer firmware is "patched".

That is what I meant.  I apologize if you or anyone thought I was referring to an actual binary or script to run against an older firmware file to fix the vuln.

 

 

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions