Dahua Forbes 'Next Web Crisis' Vulnerability Dispute

By Brian Karas, Published Nov 16, 2017, 10:56am EST

The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published.

What is in dispute is how significant the vulnerability is, and the risks posed to users with unpatched devices.

This was recently showcased in a Forbes article, calling it bluntly 'the next web crisis', including a video demonstration of an 'Ocean's Eleven' Dahua hack:

IPVM has researched this, talking with Dahua, Forbes and the cybersecurity research firm who found this vulnerability, finding conflicting claims. Inside this report, we examine the vulnerability, the claims being made by each party and what this means for both Dahua and cyber security reporting.

Vulnerability ******

*********** ************ ************, *** ******* **** initially ******** *** ****** overflow *************, ***** ** can ** **** ** "switch ***" * ***** feed, ******** ********* ** replace *** **** ****** from *** ****** **** a **** *** ** their ********. 

**** ** "************" ** the *****, ****** ** one **** ******* *********, no ********* *** ***** on *** ****** ******* of ******* *** *******, and **** *** ******** live/original *** ********* ***** feeds *** ***** *** video ****** ***** ***** as ****-***** ******, ** does *** **** ** actual ****** ******* ***** the ***** **** ****** out *** ** ******** in * **** ****** fashion.

***** ******* 

***** ************* ************' **** **** on *** *******, ***** ****** **** did *** *** *** the ************* ***** ***** result ** **** **** a ****** ** ******* (DoS):

*************, *** ****** ******** vulnerability *** *** *********** of ****** **** *********.  This ** *** ******* of *** *********. “…..****** a ******* **** ******* to *** ********** *** interface *** **** ********** access ********”.

*******, ** *** *** discovered * **** **** could ******* **** ************* effectively. *** **** ****** impact ** *** ******* is ***.

Details ********

*********** **** ******** ************ would *** ******* ********** ********* details ****** **** *** contained ** *** *****. Leigh-Anne ******** [**** ** longer *********], *** ********* the ******* ** *** Forbes ***** ******:

*** ******* **, **** we **** ***** * proof-of-concept ** ** ****** that ***** ** *********** used ** * *** system ** ** **-******. Due ** *** *********** disclosure **********, ** ****** disclose **** ******* ******* on *** ** *** be ****. ** *** several ************* ** ******* IP-cameras ***************, *** **’** just **** *** ** them.

**** ***** [**** ** longer *********], *** ******** the ******* ************* *** developed *** ******* **** by ******** ** *** Forbes *****, ******* *** following *********** ** *** exploit:

** **** ****** *** like ***** ***** ******** packets ** ****** **** other ******. ** ******  any ***** *************. ** had *** ****** *** for ** ***** ****** runs **** ***** ******.

******* **** ** ***** ** **** gotten ****/***** ****** ** the ****** ** ****** external ********, ***** **** would ** ******** *** such ** *******, *** easily ********* ******* ****** specific *******. ******* ** ****** that *** ****** ******** vulnerability (***** ****** ** sending ********* ******* **** POST ********) *** ** leveraged ** ****/**** ***** processes ** *** ******, and **** **** *********** it ** ******** ** a ***** ******.

Forbes ******* ************

***** *** ** ******** the technical *********** ** *** *******, the ****** ****** ******** to ***** ******* *********** verification, ******** *** ***********, and *** *********** ** the **-**** ********** (***** makes ** ******* ** the ******* ** ***** video *******):

** **** ****, ** looked ** *** ******* provided *** ******* *** script ******* ****, ******* trusting ** *** *********** and *** *********** ******** by **** *** *** US **********.

**** ****** ******* *** clarification ** *** ******* provided, ****** ******** **** more ********* ***** *** we ***** *** ************ of *** ***** ******* of ****** ********* ******* as ** *** **** verified *** ******* (*.*., reviewing ****** ****, ****** another *********** ******** **** to ****** ********'* ***** of *******):

*****, *** *** ******* more ** ** *********** from *** ** *** you ***** **** ** implausible? What's *********** **********? ** you *** **** ** a ****** *** ********** compromise **, ****** ******** is ******** ** *** as *'* *********.

** ********, ** ********* that ***** **** ** indication *** ******* ***** be **** ** "*** root" ** *** ***** of ******** ****** ** a **** ***** ***** an ******** ***** **** arbitrary ******** *** ******* commands ** ****. *** exploit *** ******** ***** software ** *** ****** already ******* ** ****, meaning **** *** ******** called *** *** ******* would *** ** ****, but **** *** *** allow *** **** ****-******* style ******.

Dahua *** ********

** ***** **** ****, ******** Technologies****** ***** ********** ********** and "**** ** ***"*** ****** ******** *************. However, **** ***** ** he *** ********* ***** with ******* ** *** exploit ** **** ****** that ***** *** ******** fixed **** (***** ***** did *** **** **** an ******* *** *********), ***** responded:

* ****'* **** **** Dahua ***** **. * don't ***** **** *** easily *** **, ** many **** **** ** change... **** ****** ** fix *** *** **** nobody **** ******* *** :)

More ********* ******* *****

***** ** *** ****** video, ** ******* ** given ** ******* ***** used *** * ******, a **** **** ****** scenario, ****** **** ***** still **** ** **** than **** ********** * buffer ******** *******, ****** requiring ********** **** ** be ******* ****** **** the ******. ***** ******** this ** ********** ** open ****** ********** ** get **** ****** ** a ***** *****.

***** ********* ** *****, but ************* ******* *** someone *** ****** ***** to ******* * ******. Given **** **** ***** is *** ******* **** and **** ********, ** would *** ** ********* to "****** ***' * video ****** ** **** cases, ****** ********* *** camera ******** ***** ********* be ****** ****, *** achieve *** **** ****** of ******** ** **** video ** *** ***** was ********.

Cyber ******** ****

** ***** ******** *********, and *** ***** ***** by ********** ******** ******* to ********, *****, ** does *** ********** ** sensationalize ******** ***** **** unlikely ********* *** ******* demos **** **** ******* that ********** ***** *** risks. **** *** ***** in ******** ***** ******** vulnerability ******** (*,*,*) **** ** ** possible ** *********** *************** in **** **** ****** illustrate ********* *****.

Comments (2)

Would like to know what bashis mcw’s estimate of how likely it is that given a buffer overflow flaw, that a silver bullet string can be found for it resulting in root access.  

Only want to say that this is a problem to verify, since no details is published.

And cite one comment in my Dahua Backdoor python script

# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts

 

 

Read this IPVM report for free.

This article is part of IPVM's 6,736 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports