Unfixed Critical Vulnerability In Millions of XiongMai Devices Disclosed

Avatar
Sean Patton
Published Oct 10, 2018 16:22 PM

XiongMai, one of the biggest OEMs alongside Dahua and Hikvision, has suffered a critical vulnerability impacting millions of their devices.

This comes after XiongMai received universal criticism for the lack of security resulting in the Mirai botnet.

*******, ****** ***** *** *********, *** relatively ******* ***** * ******** *** for ********* ***************, ******** *** *** with * ****** ***** ******, ******* increasing *** ****.

****** **** ****, ** ****** **-******** ********** ********** **** ******** *************, *** ** ** ** *********** and *** **** ******* * ****** track ****** *** ********.

Default ********* *** ****** ******** ***** ******** *************

*** ********* ********************* * **.* ******** ************ *** ******* *** ****** ** administrator ****** ** *** ********** ******* through ******* ************* ***********, *** ********** undocumented "*******" **** *******. **** ***** that **** ******* ******* *** ******* administrator ********, *** ****** *** ***** be ******** ******** ***** *** "*******" account.

*** ******* ** *********** ********** ******* is ***** *** *** ******* ****** unsigned ********. *** ****** **** ** attacker *** **** ********* ******** ******* through *** ***** ***** *********. 

************, *** ******:

********* *** **********************() ***** ***** *** ******* ****** *** device ** ***** *** ******* *** malicious ********.

**** ********* ****** ** ******** ** persist ******* **** *** *******’ ***** memory. ****** ** *** ***** ****, it cannot ** ******* *** **** ** ********* *** ******.

*** ********* *** ************* (***-****-*****), **** ******* *********** ************* ****** ***** ** ******* ******* code ** ******, ******* ********** *** ******* ** is ********.

Who ** ********

********* ** ***'* **********, **** ************* impacts ******** ** *******, ******* ********'* XMEye ***** *******. ***** ***** ****** video ******* ** ****** **** **** NVRs, ******* ** ************ ** *****'* P2P ***** *** *********'* ***-******* ***** services.

*** ********** **** *** ******* ********, smaller ***** ***** *********.

* ***** **** *** ** **** of *** ******* ********:

Minimum ****** ** ******* ********** ******

***** ********* *** *** ******** **** in ******* ********** *************, *** **** directly ****** *** ****** ** *** budget *********. *******, *** ********** ****** could ** **** ******* ****** ***** markets.

Botnet ****

**** *****, ** **** **** *****, these ********** ******* *** ***** ****** disruption ** *** **** ******** ******* but****** ************* *******.

*** ****** **** ***** ******* **** be *********** *** **** ****** ******* is **** ****, ***** *** ****** of ******* *** *** *********** ** an ****** ***** *** *** ************* being ********* ** *** ******** ** them.

Extends *** ***** ******

******** *** * ******** ***** ****** of ************* ******. ********'* ******** ** publications **** ******** ** *** ***** bug *** ************ ***** ******. **** ****** *****, * ******* reseller ** ******** ************* *** * **** ***** **** contains ****** ************ ******** *******.

****, *** ***** **** * ********** identified ******** ************** **** **** ****** unpatched ** ***** ****** ********.

Not ****** ** ** **********

***** *** ********* ****** ** **** are ********** ** ** ********** *****, proponents ** ******* ************* ****** **** surely *** **** ** ******** **** there *** ************* **** * ***** track ****** **** *****, *** ***** of *** ********** ** *** ***.

 

Comments (14)
U
Undisclosed #1
Oct 10, 2018

* ******* ********* *** ******** *** bathroom ****** ******, ***** ***.

(3)
(7)
UE
Undisclosed End User #3
Oct 10, 2018
In reply to Undisclosed #1

(7)
UI
Undisclosed Integrator #2
Oct 10, 2018

** ************* *****. ****** ******* *** found. -*****

(1)
(5)
Avatar
Abaas Mahroos
Oct 10, 2018
Al Aswar Trading Group • IPVMU Certified

***** *** **** **.

UI
Undisclosed Integrator #2
Oct 10, 2018

“Not ****** ** ** **********

***** *** ********* ****** ** **** are ********** ** ** ********** *****, proponents ** ******* ************* ****** **** surely *** **** ** ******** **** there *** ************* **** * ***** track ****** **** *****, *** ***** of *** ********** ** *** ***.”

———————————————————————————————————-

** ******* ** *** **** ********* in *** *******, ******* **** ** evidence ** ******* * ****** **** encompassing *** ** ***** ****** **** a *** ** ****** ******* *** companies **** **** ******** ******** ******? 

(4)
(1)
Avatar
Sean Nelson
Oct 10, 2018
Nelly's Security
In reply to Undisclosed Integrator #2

* ***** "******** ** *******" ***** qualify *** *** ********** **** *** well ******* *** *** *** **, and * ***** "***** ********" 

** = **** ****** *** ** Military *****, ********* ** ********

(1)
(2)
(2)
JH
John Honovich
Oct 10, 2018
IPVM
In reply to Sean Nelson

** = **** ****** *** ** Military *****, ********* ** ********

* **** ****** ** ** ********* **** ** ***. ** ** simply ***** *** ***** ******* **** have ** **** **** ** ** military *****. ********* *** ***** ** because **** **** ***** ***** ***** teams *** *** ********* *******.

(1)
Avatar
Sean Nelson
Oct 10, 2018
Nelly's Security
In reply to John Honovich

*** ** ******* ************* **** **** cyber ******** ******: **** ******** ** devices, **** ***** *****, ** ***-******.

(2)
(1)
(2)
(1)
UI
Undisclosed Integrator #4
Oct 11, 2018
In reply to Sean Nelson

*** ** ******* ************* **** **** cyber ******** ******: **** ******** ** devices, **** ***** *****, ** ***-******.

*** ** **** **** **** ***** simply **** * ********** *********** ** slap * ******* ** *** ******* and ** **** *** ** *** heat?

(2)
(1)
(1)
(1)
UI
Undisclosed Integrator #5
Oct 11, 2018
In reply to Undisclosed Integrator #4

* ***** ** **** ***** *********'* new *** ******** :)

(1)
bm
bashis mcw
Oct 11, 2018

***********...

****:*****://***.***-*******.***/**/****/****/**/********-**-********-*****-************-*******-***-**-******-***-*****-*******-*****-***-*****/

****: *** ******** **** ** *** “default” **** ** “********” (stored ** /***/******/********). The hash algorithm was reverse engineered before and is implemented on ******.Basically, ** ** * ****** ** . For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly Xiongmai ****** **** ***** ** *** **** ********* ** **** ** *** ****** ********* *** *** **** ******* ***?

*** **** *** ******** **** ** exactly *** **** ** *****, **** the **** ** *** ******** **** is ****** *** **** ** ******** (maybe **** ****** '/***' ****** '/***') and ****** **** ********.

*********

*)*****://******.***/****/***/****/******/*****-*******-****.**#***

*)*****://******.***/****/***/****/******/*****-********-***.**#***

 

*** ******** **, *** ****** ***? Or ** ** ****** '****** ********* SoC ***' ;-)

 

(3)
MS
Midwest Surveillance
Oct 11, 2018
In reply to bashis mcw

******, ***** ***. *** ******* *******, thought ********* *********** **** ** ****. Its * ********** ***** **** *** tiresome ******* ******** **** *****. 

(2)
SF
Shay Fogel
Oct 12, 2018
In reply to bashis mcw

***** **** *********** **** *** * split **** *****. * ***** *** their *** ****** ******* **** *****’*.

(2)
bm
bashis mcw
Oct 12, 2018
In reply to Shay Fogel

******, **** ******** *** ****** *** :)