Unfixed Critical Vulnerability In Millions of XiongMai Devices Disclosed

Published Oct 10, 2018 16:22 PM

XiongMai, one of the biggest OEMs alongside Dahua and Hikvision, has suffered a critical vulnerability impacting millions of their devices.

This comes after XiongMai received universal criticism for the lack of security resulting in the Mirai botnet.

*******, ****** ***** *** *********, *** relatively ******* ***** * ******** *** for ********* ***************, ******** *** *** with * ****** ***** ******, ******* increasing *** ****.

****** **** ****, ** ****** **-******** ********** ********** **** ******** *************, *** ** ** ** *********** and *** **** ******* * ****** track ****** *** ********.

Default ********* *** ****** ******** ***** ******** *************

*** ********* ********************* * **.* ******** ************ *** ******* *** ****** ** administrator ****** ** *** ********** ******* through ******* ************* ***********, *** ********** undocumented "*******" **** *******. **** ***** that **** ******* ******* *** ******* administrator ********, *** ****** *** ***** be ******** ******** ***** *** "*******" account.

*** ******* ** *********** ********** ******* is ***** *** *** ******* ****** unsigned ********. *** ****** **** ** attacker *** **** ********* ******** ******* through *** ***** ***** *********. 

************, *** ******:

********* *** **********************() ***** ***** *** ******* ****** *** device ** ***** *** ******* *** malicious ********.

**** ********* ****** ** ******** ** persist ******* **** *** *******’ ***** memory. ****** ** *** ***** ****, it cannot ** ******* *** **** ** ********* *** ******.

*** ********* *** ************* (***-****-*****), **** ******* *********** ************* ****** ***** ** ******* ******* code ** ******, ******* ********** *** ******* ** is ********.

Who ** ********

********* ** ***'* **********, **** ************* impacts ******** ** *******, ******* ********'* XMEye ***** *******. ***** ***** ****** video ******* ** ****** **** **** NVRs, ******* ** ************ ** *****'* P2P ***** *** *********'* ***-******* ***** services.

*** ********** **** *** ******* ********, smaller ***** ***** *********.

* ***** **** *** ** **** of *** ******* ********:

Minimum ****** ** ******* ********** ******

***** ********* *** *** ******** **** in ******* ********** *************, *** **** directly ****** *** ****** ** *** budget *********. *******, *** ********** ****** could ** **** ******* ****** ***** markets.

Botnet ****

**** *****, ** **** **** *****, these ********** ******* *** ***** ****** disruption ** *** **** ******** ******* but****** ************* *******.

*** ****** **** ***** ******* **** be *********** *** **** ****** ******* is **** ****, ***** *** ****** of ******* *** *** *********** ** an ****** ***** *** *** ************* being ********* ** *** ******** ** them.

Extends *** ***** ******

******** *** * ******** ***** ****** of ************* ******. ********'* ******** ** publications **** ******** ** *** ***** bug *** ************ ***** ******. **** ****** *****, * ******* reseller ** ******** ************* *** * **** ***** **** contains ****** ************ ******** *******.

****, *** ***** **** * ********** identified ******** ************** **** **** ****** unpatched ** ***** ****** ********.

Not ****** ** ** **********

***** *** ********* ****** ** **** are ********** ** ** ********** *****, proponents ** ******* ************* ****** **** surely *** **** ** ******** **** there *** ************* **** * ***** track ****** **** *****, *** ***** of *** ********** ** *** ***.

 

Comments (14)
U
Undisclosed #1
Oct 10, 2018

I thought Hikvision had cornered the bathroom camera market, guess not.

(3)
(7)
UE
Undisclosed End User #3
Oct 10, 2018

(7)
UI
Undisclosed Integrator #2
Oct 10, 2018

No vulnerability found. Robust feature set found. -China

(1)
(5)
Avatar
Abaas Mahroos
Oct 10, 2018
Al Aswar Trading Group • IPVMU Certified

Night owl uses XM.

UI
Undisclosed Integrator #2
Oct 10, 2018

“Not Banned By US Government

While the companies affect by this are irrelevant to US Government sales, proponents of Chinese manufacturers banned will surely use this as evidence that there are manufacturers with a worse track record than Hikua, and proof of the unfairness of the ban.”

———————————————————————————————————-

In regards to the last paragraph in the article, wouldnt this be evidence to support a larger more encompassing ban on China rather than a way to garner support for companies that were arguably unfairly banned? 

(4)
(1)
Avatar
Sean Nelson
Oct 10, 2018
Nelly's Security

i guess "millions of devices" didnt qualify for the rightfully just and well thought out ban due to, and I quote "Cyber Security" 

XM = Good Enough for US Military Bases, According to congress

(1)
(2)
(2)
JH
John Honovich
Oct 10, 2018
IPVM

XM = Good Enough for US Military Bases, According to congress

I know you aim to be clever but this is not. XM is simply under the radar because they have no real path to US military bases. Hikvision and Dahua do because they have large local sales teams and big marketing budgets.

(1)
Avatar
Sean Nelson
Oct 10, 2018
Nelly's Security

Tip to Chinese Manufacturers with poor cyber security record: Sell millions of devices, stay under radar, be non-banned.

(2)
(1)
(2)
(1)
UI
Undisclosed Integrator #4
Oct 11, 2018

Tip to Chinese Manufacturers with poor cyber security record: Sell millions of devices, stay under radar, be non-banned.

Why do that when they could simply find a midwestern distributor to slap a sticker on the outside and to take all of the heat?

(2)
(1)
(1)
(1)
UI
Undisclosed Integrator #5
Oct 11, 2018

I think we just found Honeywell's new OEM provider :)

(1)
bm
bashis mcw
Oct 11, 2018

Interesting...

From: https://www.sec-consult.com/en/blog/2018/10/millions-of-xiongmai-video-surveillance-devices-can-be-hacked-via-cloud-feature-xmeye-p2p-cloud/

Note: The password hash of the “default” user is “OxhlwSG8” (stored in /mtd/Config/Account1). The hash algorithm was reverse engineered before and is implemented on GitHub. Basically, it is a result of MD5(password) and compressed even further. For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly Xiongmai copied from Dahua or the hash algorithm is part of the Huawei HiSilicon SoC SDK both vendors use?

Not only the password hash is exactly the same as Dahua, even the path to the password file is almost the same as reported (maybe they forget '/mnt' before '/mtd') and indeed same filename.

Reference

1) https://github.com/mcw0/PoC/blob/master/dahua-telnetd-json.py#L29

2) https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py#L25

 

The question is, who copied who? Or is it really 'Huawei HiSilicon SoC SDK' ;-)

 

(3)
MS
Midwest Surveillance
Oct 11, 2018

Bashis, thank you. You provide factual, thought provoking information with no bias. Its a refreshing break from the tiresome sarcasm plaguing this topic. 

(2)
SF
Shay Fogel
Oct 12, 2018

Their base development team was a split from Dahua. 8 years ago their GUI looked exactly like Dahua’s.

(2)
bm
bashis mcw
Oct 12, 2018

Thanks, that explains who copied who :)