Dahua Forbes 'Next Web Crisis' Vulnerability Dispute

By Brian Karas, Published Nov 16, 2017, 10:56am EST (Info+)

The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published.

What is in dispute is how significant the vulnerability is, and the risks posed to users with unpatched devices.

This was recently showcased in a Forbes article, calling it bluntly 'the next web crisis', including a video demonstration of an 'Ocean's Eleven' Dahua hack:

IPVM has researched this, talking with Dahua, Forbes and the cybersecurity research firm who found this vulnerability, finding conflicting claims. Inside this report, we examine the vulnerability, the claims being made by each party and what this means for both Dahua and cyber security reporting.

Vulnerability ******

*********** ************ ************, *** ******* **** ********* ******** the ****** ******** *************, ***** ** can ** **** ** "****** ***" a ***** ****, ******** ********* ** replace *** **** ****** **** *** camera **** * **** *** ** their ********.

**** ** "************" ** *** *****, though ** *** **** ******* *********, no ********* *** ***** ** *** actual ******* ** ******* *** *******, and **** *** ******** ****/******** *** alternate ***** ***** *** ***** *** video ****** ***** ***** ** ****-***** videos, ** **** *** **** ** actual ****** ******* ***** *** ***** feed ****** *** *** ** ******** in * **** ****** *******.

***** *******

***** ************* ************' **** **** ** *** exploit, ***** ****** **** *** *** see *** *** ************* ***** ***** result ** **** **** * ****** of ******* (***):

*************, *** ****** ******** ************* *** the *********** ** ****** **** *********. This ** *** ******* ** *** statement. “…..****** * ******* **** ******* to *** ********** *** ********* *** gain ********** ****** ********”.
*******, ** *** *** ********** * POST **** ***** ******* **** ************* effectively. *** **** ****** ****** ** the ******* ** ***.

Details ********

*********** **** ******** ************ ***** *** provide additional ********* ******* ****** **** *** contained ** *** *****. *****-**** ******** [link ** ****** *********], *** ********* the ******* ** *** ****** ***** stated:

*** ******* **, **** ** **** shown * *****-**-******* ** ** ****** that ***** ** *********** **** ** a *** ****** ** ** **-******. Due ** *** *********** ********** **********, we ****** ******** **** ******* ******* on *** ** *** ** ****. We *** ******* ************* ** ******* IP-cameras ***************, *** **’** **** **** one ** ****.

**** ***** [**** ** ****** *********], who ******** *** ******* ************* *** developed *** ******* **** ** ******** in *** ****** *****, ******* *** following *********** ** *** *******:

** **** ****** *** **** ***** which ******** ******* ** ****** **** other ******. ** ****** *** ***** functionality. ** *** *** ****** *** for ** ***** ****** **** **** Linux ******.

******* **** ** ***** ** **** ****** ****/***** access ** *** ****** ** ****** external ********, ***** **** ***** ** expected *** **** ** *******, *** easily ********* ******* ****** ******** *******. Instead he ****** **** *** ****** ******** vulnerability (***** ****** ** ******* ********* crafted **** **** ********) *** ** leveraged ** ****/**** ***** ********* ** the ******, *** **** **** *********** it ** ******** ** * ***** server.

Forbes ******* ************

***** *** ** ******** *** ********* *********** ** the *******, *** ****** ****** ******** to ***** ******* *********** ************, ******** the ***********, *** *** *********** ** the **-**** ********** (***** ***** ** mention ** *** ******* ** ***** video *******):

** **** ****, ** ****** ** the ******* ******** *** ******* *** script ******* ****, ******* ******** ** the *********** *** *** *********** ******** by **** *** *** ** **********.

**** ****** ******* *** ************* ** the ******* ********, ****** ******** **** more ********* ***** *** ** ***** the ************ ** *** ***** ******* of ****** ********* ******* ** ** how **** ******** *** ******* (*.*., reviewing ****** ****, ****** ******* *********** research **** ** ****** ********'* ***** of *******):

*****, *** *** ******* **** ** an *********** **** *** ** *** you ***** **** ** ***********? ****'* *********** inaccurate? ** *** *** **** ** a ****** *** ********** ********** **, almost ******** ** ******** ** *** as *'* *********.

** ********, ** ********* **** ***** were ** ********** *** ******* ***** be **** ** "*** ****" ** the ***** ** ******** ****** ** a **** ***** ***** ** ******** could **** ********* ******** *** ******* commands ** ****. *** ******* *** leverage ***** ******** ** *** ****** already ******* ** ****, ******* **** any ******** ****** *** *** ******* would *** ** ****, *** **** did *** ***** *** **** ****-******* style ******.

Dahua *** ********

** ***** **** ****, ******** ****************** ***** ********** ********** *** "**** to ***"*** ****** ******** *************. *******, **** asked ** ** *** ********* ***** with ******* ** *** ******* ** help ****** **** ***** *** ******** fixed **** (***** ***** *** *** feel **** ** ******* *** *********), ***** responded:

* ****'* **** **** ***** ***** it. * ***'* ***** **** *** easily *** **, ** **** **** have ** ******... **** ****** ** fix *** *** **** ****** **** another *** :)

More ********* ******* *****

***** ** *** ****** *****, ** example ** ***** ** ******* ***** used *** * ******, * **** more ****** ********, ****** **** ***** still **** ** **** **** **** triggering * ****** ******** *******, ****** requiring ********** **** ** ** ******* loaded **** *** ******. ***** ******** this ** ********** ** **** ****** connection ** *** **** ****** ** a ***** *****.

***** ********* ** *****, *** ************* complex *** ******* *** ****** ***** to ******* * ******. ***** **** most ***** ** *** ******* **** and **** ********, ** ***** *** be ********* ** "****** ***' * video ****** ** **** *****, ****** disabling *** ****** ******** ***** ********* be ****** ****, *** ******* *** same ****** ** ******** ** **** video ** *** ***** *** ********.

Cyber ******** ****

** ***** ******** *********, *** *** risks ***** ** ********** ******** ******* to ********, *****, ** **** *** temptation ** ************** ******** ***** **** unlikely ********* *** ******* ***** **** omit ******* **** ********** ***** *** risks. **** *** ***** ** ******** cyber ******** ************* ******** (*,*,*) **** ** ** ******** ** demonstrate *************** ** **** **** ****** illustrate ********* *****.

Comments (2)

Undisclosed #1

IPVMU Certified | 11/16/17 06:52pm

Would like to know what bashis mcw’s estimate of how likely it is that given a buffer overflow flaw, that a silver bullet string can be found for it resulting in root access.

Agree

Disagree

Informative

Unhelpful

Funny

bashis mcw

In reply to Undisclosed #1 | 11/17/17 08:02pm

Only want to say that this is a problem to verify, since no details is published.

And cite one comment in my Dahua Backdoor python script

# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts

Agree

Disagree

Informative

Unhelpful

Funny

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.

Dahua Forbes 'Next Web Crisis' Vulnerability Dispute

Comments (2)

Undisclosed #1

bashis mcw

Login to read this IPVM report.

Subscriber Login

Loading Related Reports

Login to view the video.