Dahua Forbes 'Next Web Crisis' Vulnerability Dispute

By: Brian Karas, Published on Nov 16, 2017

The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published.

What is in dispute is how significant the vulnerability is, and the risks posed to users with unpatched devices.

This was recently showcased in a Forbes article, calling it bluntly 'the next web crisis', including a video demonstration of an 'Ocean's Eleven' Dahua hack:

IPVM has researched this, talking with Dahua, Forbes and the cybersecurity research firm who found this vulnerability, finding conflicting claims. Inside this report, we examine the vulnerability, the claims being made by each party and what this means for both Dahua and cyber security reporting.

Vulnerability ******

*********** ************ ************, *** ******* **** initially ******** *** ****** overflow *************, ***** ** can ** **** ** "switch ***" * ***** feed, ******** ********* ** replace *** **** ****** from *** ****** **** a **** *** ** their ********. 

**** ** "************" ** the *****, ****** ** one **** ******* *********, no ********* *** ***** on *** ****** ******* of ******* *** *******, and **** *** ******** live/original *** ********* ***** feeds *** ***** *** video ****** ***** ***** as ****-***** ******, ** does *** **** ** actual ****** ******* ***** the ***** **** ****** out *** ** ******** in * **** ****** fashion.

***** ******* 

***** ************* ************' **** **** on *** *******, ***** ****** **** did *** *** *** the ************* ***** ***** result ** **** **** a ****** ** ******* (DoS):

*************, *** ****** ******** vulnerability *** *** *********** of ****** **** *********.  This ** *** ******* of *** *********. “…..****** a ******* **** ******* to *** ********** *** interface *** **** ********** access ********”.

*******, ** *** *** discovered * **** **** could ******* **** ************* effectively. *** **** ****** impact ** *** ******* is ***.

Details ********

*********** **** ******** ************ would *** ******* ********** ********* details ****** **** *** contained ** *** *****. Leigh-Anne ******** [**** ** longer *********], *** ********* the ******* ** *** Forbes ***** ******:

*** ******* **, **** we **** ***** * proof-of-concept ** ** ****** that ***** ** *********** used ** * *** system ** ** **-******. Due ** *** *********** disclosure **********, ** ****** disclose **** ******* ******* on *** ** *** be ****. ** *** several ************* ** ******* IP-cameras ***************, *** **’** just **** *** ** them.

**** ***** [**** ** longer *********], *** ******** the ******* ************* *** developed *** ******* **** by ******** ** *** Forbes *****, ******* *** following *********** ** *** exploit:

** **** ****** *** like ***** ***** ******** packets ** ****** **** other ******. ** ******  any ***** *************. ** had *** ****** *** for ** ***** ****** runs **** ***** ******.

******* **** ** ***** ** **** gotten ****/***** ****** ** the ****** ** ****** external ********, ***** **** would ** ******** *** such ** *******, *** easily ********* ******* ****** specific *******. ******* ** ****** that *** ****** ******** vulnerability (***** ****** ** sending ********* ******* **** POST ********) *** ** leveraged ** ****/**** ***** processes ** *** ******, and **** **** *********** it ** ******** ** a ***** ******.

Forbes ******* ************

***** *** ** ******** the technical *********** ** *** *******, the ****** ****** ******** to ***** ******* *********** verification, ******** *** ***********, and *** *********** ** the **-**** ********** (***** makes ** ******* ** the ******* ** ***** video *******):

** **** ****, ** looked ** *** ******* provided *** ******* *** script ******* ****, ******* trusting ** *** *********** and *** *********** ******** by **** *** *** US **********.

**** ****** ******* *** clarification ** *** ******* provided, ****** ******** **** more ********* ***** *** we ***** *** ************ of *** ***** ******* of ****** ********* ******* as ** *** **** verified *** ******* (*.*., reviewing ****** ****, ****** another *********** ******** **** to ****** ********'* ***** of *******):

*****, *** *** ******* more ** ** *********** from *** ** *** you ***** **** ** implausible? What's *********** **********? ** you *** **** ** a ****** *** ********** compromise **, ****** ******** is ******** ** *** as *'* *********.

** ********, ** ********* that ***** **** ** indication *** ******* ***** be **** ** "*** root" ** *** ***** of ******** ****** ** a **** ***** ***** an ******** ***** **** arbitrary ******** *** ******* commands ** ****. *** exploit *** ******** ***** software ** *** ****** already ******* ** ****, meaning **** *** ******** called *** *** ******* would *** ** ****, but **** *** *** allow *** **** ****-******* style ******.

Dahua *** ********

** ***** **** ****, ******** Technologies****** ***** ********** ********** and "**** ** ***"*** ****** ******** *************. However, **** ***** ** he *** ********* ***** with ******* ** *** exploit ** **** ****** that ***** *** ******** fixed **** (***** ***** did *** **** **** an ******* *** *********), ***** responded:

* ****'* **** **** Dahua ***** **. * don't ***** **** *** easily *** **, ** many **** **** ** change... **** ****** ** fix *** *** **** nobody **** ******* *** :)

More ********* ******* *****

***** ** *** ****** video, ** ******* ** given ** ******* ***** used *** * ******, a **** **** ****** scenario, ****** **** ***** still **** ** **** than **** ********** * buffer ******** *******, ****** requiring ********** **** ** be ******* ****** **** the ******. ***** ******** this ** ********** ** open ****** ********** ** get **** ****** ** a ***** *****.

***** ********* ** *****, but ************* ******* *** someone *** ****** ***** to ******* * ******. Given **** **** ***** is *** ******* **** and **** ********, ** would *** ** ********* to "****** ***' * video ****** ** **** cases, ****** ********* *** camera ******** ***** ********* be ****** ****, *** achieve *** **** ****** of ******** ** **** video ** *** ***** was ********.

Cyber ******** ****

** ***** ******** *********, and *** ***** ***** by ********** ******** ******* to ********, *****, ** does *** ********** ** sensationalize ******** ***** **** unlikely ********* *** ******* demos **** **** ******* that ********** ***** *** risks. **** *** ***** in ******** ***** ******** vulnerability ******** (*,*,*) **** ** ** possible ** *********** *************** in **** **** ****** illustrate ********* *****.

Comments (2)

Would like to know what bashis mcw’s estimate of how likely it is that given a buffer overflow flaw, that a silver bullet string can be found for it resulting in root access.  

Only want to say that this is a problem to verify, since no details is published.

And cite one comment in my Dahua Backdoor python script

# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts

 

 

Read this IPVM report for free.

This article is part of IPVM's 6,541 reports, 882 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Dahua Thermal Temperature Monitoring System Tested on May 11, 2020
Dahua's thermal temperature monitoring system has gained mass attention as a...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
School District Admits Not Following FDA Guidelines With 144, No Blackbody, Hikvision Fever Cameras on Aug 21, 2020
The Baldwin County School District has admitted it is not following FDA...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...