Dahua Forbes 'Next Web Crisis' Vulnerability Dispute

Published Nov 16, 2017 15:56 PM

The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published.

What is in dispute is how significant the vulnerability is, and the risks posed to users with unpatched devices.

This was recently showcased in a Forbes article, calling it bluntly 'the next web crisis', including a video demonstration of an 'Ocean's Eleven' Dahua hack:

IPVM has researched this, talking with Dahua, Forbes and the cybersecurity research firm who found this vulnerability, finding conflicting claims. Inside this report, we examine the vulnerability, the claims being made by each party and what this means for both Dahua and cyber security reporting.

Vulnerability ******

*********** ************ ************, *** ******* **** ********* ******** the ****** ******** *************, ***** ** can ** **** ** "****** ***" a ***** ****, ******** ********* ** replace *** **** ****** **** *** camera **** * **** *** ** their ********. 

**** ** "************" ** *** *****, though ** *** **** ******* *********, no ********* *** ***** ** *** actual ******* ** ******* *** *******, and **** *** ******** ****/******** *** alternate ***** ***** *** ***** *** video ****** ***** ***** ** ****-***** videos, ** **** *** **** ** actual ****** ******* ***** *** ***** feed ****** *** *** ** ******** in * **** ****** *******.

***** ******* 

***** ************* ************' **** **** ** *** exploit, ***** ****** **** *** *** see *** *** ************* ***** ***** result ** **** **** * ****** of ******* (***):

*************, *** ****** ******** ************* *** the *********** ** ****** **** *********.  This ** *** ******* ** *** statement. “…..****** * ******* **** ******* to *** ********** *** ********* *** gain ********** ****** ********”.

*******, ** *** *** ********** * POST **** ***** ******* **** ************* effectively. *** **** ****** ****** ** the ******* ** ***.

Details ********

*********** **** ******** ************ ***** *** provide additional ********* ******* ****** **** *** contained ** *** *****. *****-**** ******** [link ** ****** *********], *** ********* the ******* ** *** ****** ***** stated:

*** ******* **, **** ** **** shown * *****-**-******* ** ** ****** that ***** ** *********** **** ** a *** ****** ** ** **-******. Due ** *** *********** ********** **********, we ****** ******** **** ******* ******* on *** ** *** ** ****. We *** ******* ************* ** ******* IP-cameras ***************, *** **’** **** **** one ** ****.

**** ***** [**** ** ****** *********], who ******** *** ******* ************* *** developed *** ******* **** ** ******** in *** ****** *****, ******* *** following *********** ** *** *******:

** **** ****** *** **** ***** which ******** ******* ** ****** **** other ******. ** ******  *** ***** functionality. ** *** *** ****** *** for ** ***** ****** **** **** Linux ******.

******* **** ** ***** ** **** ****** ****/***** access ** *** ****** ** ****** external ********, ***** **** ***** ** expected *** **** ** *******, *** easily ********* ******* ****** ******** *******. Instead he ****** **** *** ****** ******** vulnerability (***** ****** ** ******* ********* crafted **** **** ********) *** ** leveraged ** ****/**** ***** ********* ** the ******, *** **** **** *********** it ** ******** ** * ***** server.

Forbes ******* ************

***** *** ** ******** *** ********* *********** ** the *******, *** ****** ****** ******** to ***** ******* *********** ************, ******** the ***********, *** *** *********** ** the **-**** ********** (***** ***** ** mention ** *** ******* ** ***** video *******):

** **** ****, ** ****** ** the ******* ******** *** ******* *** script ******* ****, ******* ******** ** the *********** *** *** *********** ******** by **** *** *** ** **********.

**** ****** ******* *** ************* ** the ******* ********, ****** ******** **** more ********* ***** *** ** ***** the ************ ** *** ***** ******* of ****** ********* ******* ** ** how **** ******** *** ******* (*.*., reviewing ****** ****, ****** ******* *********** research **** ** ****** ********'* ***** of *******):

*****, *** *** ******* **** ** an *********** **** *** ** *** you ***** **** ** ***********? ****'* *********** inaccurate? ** *** *** **** ** a ****** *** ********** ********** **, almost ******** ** ******** ** *** as *'* *********.

** ********, ** ********* **** ***** were ** ********** *** ******* ***** be **** ** "*** ****" ** the ***** ** ******** ****** ** a **** ***** ***** ** ******** could **** ********* ******** *** ******* commands ** ****. *** ******* *** leverage ***** ******** ** *** ****** already ******* ** ****, ******* **** any ******** ****** *** *** ******* would *** ** ****, *** **** did *** ***** *** **** ****-******* style ******.

Dahua *** ********

** ***** **** ****, ******** ****************** ***** ********** ********** *** "**** to ***"*** ****** ******** *************. *******, **** asked ** ** *** ********* ***** with ******* ** *** ******* ** help ****** **** ***** *** ******** fixed **** (***** ***** *** *** feel **** ** ******* *** *********), ***** responded:

* ****'* **** **** ***** ***** it. * ***'* ***** **** *** easily *** **, ** **** **** have ** ******... **** ****** ** fix *** *** **** ****** **** another *** :)

More ********* ******* *****

***** ** *** ****** *****, ** example ** ***** ** ******* ***** used *** * ******, * **** more ****** ********, ****** **** ***** still **** ** **** **** **** triggering * ****** ******** *******, ****** requiring ********** **** ** ** ******* loaded **** *** ******. ***** ******** this ** ********** ** **** ****** connection ** *** **** ****** ** a ***** *****.

***** ********* ** *****, *** ************* complex *** ******* *** ****** ***** to ******* * ******. ***** **** most ***** ** *** ******* **** and **** ********, ** ***** *** be ********* ** "****** ***' * video ****** ** **** *****, ****** disabling *** ****** ******** ***** ********* be ****** ****, *** ******* *** same ****** ** ******** ** **** video ** *** ***** *** ********.

Cyber ******** ****

** ***** ******** *********, *** *** risks ***** ** ********** ******** ******* to ********, *****, ** **** *** temptation ** ************** ******** ***** **** unlikely ********* *** ******* ***** **** omit ******* **** ********** ***** *** risks. **** *** ***** ** ******** cyber ******** ************* ******** (*,*,*) **** ** ** ******** ** demonstrate *************** ** **** **** ****** illustrate ********* *****.

Comments (2)
U
Undisclosed #1
Nov 16, 2017
IPVMU Certified

Would like to know what bashis mcw’s estimate of how likely it is that given a buffer overflow flaw, that a silver bullet string can be found for it resulting in root access.  

bm
bashis mcw
Nov 17, 2017

Only want to say that this is a problem to verify, since no details is published.

And cite one comment in my Dahua Backdoor python script

# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts