Dahua Forbes 'Next Web Crisis' Vulnerability Dispute

By Brian Karas, Published Nov 16, 2017, 10:56am EST (Info+)

The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published.

What is in dispute is how significant the vulnerability is, and the risks posed to users with unpatched devices.

This was recently showcased in a Forbes article, calling it bluntly 'the next web crisis', including a video demonstration of an 'Ocean's Eleven' Dahua hack:

IPVM has researched this, talking with Dahua, Forbes and the cybersecurity research firm who found this vulnerability, finding conflicting claims. Inside this report, we examine the vulnerability, the claims being made by each party and what this means for both Dahua and cyber security reporting.

Vulnerability ******

*********** ************ ************, *** ******* **** ********* ******** the ****** ******** *************, ***** ** can ** **** ** "****** ***" a ***** ****, ******** ********* ** replace *** **** ****** **** *** camera **** * **** *** ** their ********. 

**** ** "************" ** *** *****, though ** *** **** ******* *********, no ********* *** ***** ** *** actual ******* ** ******* *** *******, and **** *** ******** ****/******** *** alternate ***** ***** *** ***** *** video ****** ***** ***** ** ****-***** videos, ** **** *** **** ** actual ****** ******* ***** *** ***** feed ****** *** *** ** ******** in * **** ****** *******.

***** ******* 

***** ************* ************' **** **** ** *** exploit, ***** ****** **** *** *** see *** *** ************* ***** ***** result ** **** **** * ****** of ******* (***):

*************, *** ****** ******** ************* *** the *********** ** ****** **** *********.  This ** *** ******* ** *** statement. “…..****** * ******* **** ******* to *** ********** *** ********* *** gain ********** ****** ********”.

*******, ** *** *** ********** * POST **** ***** ******* **** ************* effectively. *** **** ****** ****** ** the ******* ** ***.

Details ********

*********** **** ******** ************ ***** *** provide additional ********* ******* ****** **** *** contained ** *** *****. *****-**** ******** [link ** ****** *********], *** ********* the ******* ** *** ****** ***** stated:

*** ******* **, **** ** **** shown * *****-**-******* ** ** ****** that ***** ** *********** **** ** a *** ****** ** ** **-******. Due ** *** *********** ********** **********, we ****** ******** **** ******* ******* on *** ** *** ** ****. We *** ******* ************* ** ******* IP-cameras ***************, *** **’** **** **** one ** ****.

**** ***** [**** ** ****** *********], who ******** *** ******* ************* *** developed *** ******* **** ** ******** in *** ****** *****, ******* *** following *********** ** *** *******:

** **** ****** *** **** ***** which ******** ******* ** ****** **** other ******. ** ******  *** ***** functionality. ** *** *** ****** *** for ** ***** ****** **** **** Linux ******.

******* **** ** ***** ** **** ****** ****/***** access ** *** ****** ** ****** external ********, ***** **** ***** ** expected *** **** ** *******, *** easily ********* ******* ****** ******** *******. Instead he ****** **** *** ****** ******** vulnerability (***** ****** ** ******* ********* crafted **** **** ********) *** ** leveraged ** ****/**** ***** ********* ** the ******, *** **** **** *********** it ** ******** ** * ***** server.

Forbes ******* ************

***** *** ** ******** *** ********* *********** ** the *******, *** ****** ****** ******** to ***** ******* *********** ************, ******** the ***********, *** *** *********** ** the **-**** ********** (***** ***** ** mention ** *** ******* ** ***** video *******):

** **** ****, ** ****** ** the ******* ******** *** ******* *** script ******* ****, ******* ******** ** the *********** *** *** *********** ******** by **** *** *** ** **********.

**** ****** ******* *** ************* ** the ******* ********, ****** ******** **** more ********* ***** *** ** ***** the ************ ** *** ***** ******* of ****** ********* ******* ** ** how **** ******** *** ******* (*.*., reviewing ****** ****, ****** ******* *********** research **** ** ****** ********'* ***** of *******):

*****, *** *** ******* **** ** an *********** **** *** ** *** you ***** **** ** ***********? ****'* *********** inaccurate? ** *** *** **** ** a ****** *** ********** ********** **, almost ******** ** ******** ** *** as *'* *********.

** ********, ** ********* **** ***** were ** ********** *** ******* ***** be **** ** "*** ****" ** the ***** ** ******** ****** ** a **** ***** ***** ** ******** could **** ********* ******** *** ******* commands ** ****. *** ******* *** leverage ***** ******** ** *** ****** already ******* ** ****, ******* **** any ******** ****** *** *** ******* would *** ** ****, *** **** did *** ***** *** **** ****-******* style ******.

Dahua *** ********

** ***** **** ****, ******** ****************** ***** ********** ********** *** "**** to ***"*** ****** ******** *************. *******, **** asked ** ** *** ********* ***** with ******* ** *** ******* ** help ****** **** ***** *** ******** fixed **** (***** ***** *** *** feel **** ** ******* *** *********), ***** responded:

* ****'* **** **** ***** ***** it. * ***'* ***** **** *** easily *** **, ** **** **** have ** ******... **** ****** ** fix *** *** **** ****** **** another *** :)

More ********* ******* *****

***** ** *** ****** *****, ** example ** ***** ** ******* ***** used *** * ******, * **** more ****** ********, ****** **** ***** still **** ** **** **** **** triggering * ****** ******** *******, ****** requiring ********** **** ** ** ******* loaded **** *** ******. ***** ******** this ** ********** ** **** ****** connection ** *** **** ****** ** a ***** *****.

***** ********* ** *****, *** ************* complex *** ******* *** ****** ***** to ******* * ******. ***** **** most ***** ** *** ******* **** and **** ********, ** ***** *** be ********* ** "****** ***' * video ****** ** **** *****, ****** disabling *** ****** ******** ***** ********* be ****** ****, *** ******* *** same ****** ** ******** ** **** video ** *** ***** *** ********.

Cyber ******** ****

** ***** ******** *********, *** *** risks ***** ** ********** ******** ******* to ********, *****, ** **** *** temptation ** ************** ******** ***** **** unlikely ********* *** ******* ***** **** omit ******* **** ********** ***** *** risks. **** *** ***** ** ******** cyber ******** ************* ******** (*,*,*) **** ** ** ******** ** demonstrate *************** ** **** **** ****** illustrate ********* *****.

Comments (2)

Would like to know what bashis mcw’s estimate of how likely it is that given a buffer overflow flaw, that a silver bullet string can be found for it resulting in root access.  

Agree
Disagree
Informative
Unhelpful
Funny

Only want to say that this is a problem to verify, since no details is published.

And cite one comment in my Dahua Backdoor python script

# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts

 

 

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports