Exploiting Flaws on Hikvision Cameras

The Internet of Things (IoT) proliferates, and Cyber criminals are turning their attention to hacking the billions of devices that are connected to the Internet due to their vulnerable, sometimes non-existent, and ignored security.

Manufacturers may prioritize functionality and cost-efficiency over security, leading to vulnerabilities in these devices. This makes them an easy target for attackers to gain unauthorized access and control over the devices. Also, IoT devices often have firmware that is not regularly updated by manufacturers or users. This means that known vulnerabilities may go unpatched, leaving devices exposed to exploitation.

Securing IoT devices requires a thorough evaluation of the vendor, firmware, and patch management capabilities before making any investments. Understanding the reasons why security cameras can be hacked, and illustrating the impact requires a certain skill.

By sharing some of our techniques with our community, we aim to emphasize the importance of selecting providers with such expertise for your security assessments. Our intention is not to divulge secrets but to present facts that highlight the seriousness of these issues and what damage an attacker can do if those issues are ignored.?

Black Hat Ethical Hacking 's objective, was to showcase the significance of going beyond the vulnerability identification which many stop there, by showcasing and providing concrete evidence of the real impact through exploitation and effective remediation strategies for the Blue Team (Defenders). Leveraging our skills gained from Bug Bounty Hunting Programs, we can perform Penetration Testing at a really more effective level specifically for the PoC (Proof of Concept) exploitation part.

In this write-up, we will dig into the security aspects of Hikvision security cameras by highlighting the findings and identified vulnerabilities, which we then exploited to demonstrate their true impact aiming to go beyond simple detection and vulnerability identification from a comprehensive penetration testing conducted by our Red Team.

During our assessment, these are some of the vulnerabilities that we found listed below:

Vulnerability (1): Hikvision Security Camera, Source Code Disclosure and Takeover via CMD Injection

Weakness type:?

CVE-2021-3626: Command Injection in the web server of some Hikvision products

Risk Description

We have managed to combine?2 chained successful attacks?on this Hikvision IP Camera, and combined them into?1?Critical issue.

Command Injection Attack:

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, an attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.?

We have managed to successfully inject a command directly into your camera's built in firmware, allowing us to reactivate the admin account, and completely take over the camera. We did not proceed with doing this, but we did reach a point where we could and included screenshots to prove it just before taking over. Basically, we performed the exploit to prove the vulnerability that was recently disclosed is valid and that no false positives were found.?All done pure manually.

Source code disclosure:

After successfully brute-forcing the directory of the IP Camera without any security mechanisms blocking our attacks, we discovered all the configuration files, and scripts containing all the controls of the cameras as we will show you.?

This is due because we noticed the firmware is from 2017, and the specific version of the CVE was 2021 so this gave us the ability to understand that it was outdated and therefore proceeded with attacking the camera, based on our research to this particular CVE.?

Command injection is a critical issue, it allows executing commands as admin, directly on the camera and controlling it.?

Technical Analysis:

As you can see from here:

https://XXX/doc/page/login.asp?_1651847976739

This is the main camera Login Page, you can notice on the bottom the date says 2017:

We then used Burp Suite Pro and other tools to perform several Recon scans, discovering the content, bruteforcing for directories, and ended up revealing the source code of several functionalities of the camera, here are some links, to see, the rest are all uploaded in your cloud folder under camera attack.?

Links:?

Source Code Login Mechanisms, showing how and who can log in:

https://XXX/doc/i18n/en/Login.json?version=V4.0.1build170814

Source Code Wizard Mechanisms, showing all operations of the configuration of the IP Camera:

https://XXX/doc/i18n/en/Wizard.json?version=V4.0.1build170814?

https://XXX/doc/i18n/en/Common.json?version=V4.0.1build170814

Here are all the other links and scripts we managed to extract:

Proof of Concept (POC)

To perform the source code reveal, open a terminal in Linux, and use the below curl:?

curl "https://XXX/doc/i18n/en/Login.json?version=V4.0.1build170814"        

Then this:

curl "https://XXX/doc/i18n/en/Wizard.json?version=V4.0.1build170814"        

And This:?

curl "https://XXX/doc/i18n/en/Common.json?version=V4.0.1build170814"        

{ "logout": "Logout", "help": "Help", "tip": "Note", "confirmLogout": "Logout?", "ok": "OK", "cancel": "Cancel", "downloadPlugin": "Please click here to download and install the plug-in. Close the browser when installing the plug-in.", "noPlugin": "No plug-in detected.", "updatePlugin": "New version of plug-in is detected. Update it?", "updateNotWin32": "New version of plug-in is detected, please contact your vendor to update.", "preview": "Live View", "playback": "Playback", "config": "Configuration", "ptz": "PTZ", "preset": "Preset", "path": "Path", "patrol": "Patrol", "track": "Pattern", "pattern": "Pattern", "previewFailed": "Live view failed.", "capture": "Capture", "fullScreen": "Full Screen", "mute": "Mute", "audioOn": "Audio On", "startTime": "Start Time", "endTime": "End Time", "search": "Search", "sTimeEarlierETime": "The start time should be earlier than the end time.", "sTimeLaterETime": "The start time cannot be later than or equal to end time.", "channelNo": "Channel No.", "motion": "Motion", "audioDetection": "Audio Exception Detection", "sceneChangeDetection": "Scene Change Detection", "auto": "Auto", "enable": "Enable", "disable": "Disable", "manual": "Manual", "username": "User Name", "password": "Password", "serialNumber": "No.", "total": "Total", "items": "Items", "picture": "Picture", "analogChannel": "Analog Camera", "digitalChannel": "IP Camera", "searching": "Searching..."}%??        

Complete Takeover, Admin Reset Via Command Injection:?

To do this, you must open Burpsuite, use Collaborator and inject the payload in this section after you generate it:?

https://XXX/doc/page/login.asp?//[INSERTPAYLOAD]/xss.js

Should allow you to popup the admin reset Password:?

Affected models for this CVE-2021-36260 can be found here.

Vulnerability (2): FTP and Telnet Vulnerable to Brute force attacks and Anonymous Login, on Hikvision Cameras

Weakness Type:

CWE-284: Improper Access Control

CWE-307: Improper Restriction of Excessive Authentication

Risk Description

We have found 2 FTP ports on Hikvision Cameras, that are open without them being filtered or protected. After assessing the ports, we managed to perform several techniques to allow anonymous login and communication through the TCP port 21, and also the ability to perform successfully brute-forcing on these ports without any mechanisms that block them.?

This means an attacker can directly issue commands through the TCP protocol using Netcat, determine the outdated version used and direct brute-forcing for usernames and passwords. Should an attack prolong the brute-force attack using larger wordlists that are available, it will give them access and take over not just the camera, but also the internal network from which the cameras are connected.?

The same goes for the Telnet Ports that were found running on Port 21 from 23, and we have managed to grab the banner. Telnet is a dangerous port to be open, and usually, there is no use for it, the way these cameras are configured is not a good way to reveal some ports that do not need to be open.??

Technical Analysis

Before conducting the attack, our team had to first study the manual of how Hikvision operates, is configured, what ports are needed, and what not.?

We got this information from here:??

https://us.hikvision.com/sites/default/files/tb/tb_network_port_list_1.pdf

As you can see, it first started with finding Port 83 open, and saw that Port 21 was also open, which is not recommended as per the manual:

So, we then noticed Port 21 was Open and not filtered, we investigated and started the attack as we will demonstrate both for the Telnet/FTP.???

Proof of Concept (POC)

Tools Used:

1. SecLists?
2. Nmap?
3. Metasploit?
4. Lftp?
5. dirsearch?

At first, we can show the Nmap Commands on both IPs using specially crafted techniques to bypass any mechanisms as TCP Ports were open and not filtered or blocked:?

If you try this command without any bypassing techniques, it shows filtered:?

Command:

nmap -p21 XXX        

Output:??

PORT???STATE????SERVICE VERSION

21/tcp filtered ftp        

Too many fingerprints match this host to give specific OS details

So, to bypass this, we used:

Command:

nmap -Pn -sSV -O -A??XXX        

Output:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-01 00:20 EEST

Nmap scan report for XXX

Host is up (0.078s latency).

Not shown: 996 filtered tcp ports (no-response)

PORT?????STATE SERVICE?????VERSION

21/tcp???open??ftp?

83/tcp???open??mit-ml-dev?

554/tcp??open??rtsp????????Apple AirTunes rtspd

|_rtsp-methods: ERROR: Script execution failed (use -d to debug)

8000/tcp open??ipcam???????Hikvision IPCam control port

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

No OS matches for host

Network Distance: 11 hops        

As you can see, we found ports 21, 83, and 8000 open, we also used a service detection technique when we perform this recon, which clearly shows us what device we are attacking, including the vendor type:

8000/tcp open??ipcam???????Hikvision IPCam control port        

But our interest was Port 21, where it says FTP:

PORT?????STATE SERVICE?????VERSION

21/tcp???open??ftp?        

Clearly shown here:

So, then we wanted to attempt to brute force this using Metasploit, however, we used the Telnet Module as we understand after several attempts, that it’s using Telnet, before starting the brute force attack.?

Using Metasploit you can use this module:

auxiliary/scanner/telnet/telnet_version        

And you will have to change the default port from 23?→?21 and you can see how we grabbed the Banner, showing it's using Telnet instead of FTP on port 21:?

So, we saw we communicated, and started the Brute Forcing using Metasploit and this module:?

auxiliary/scanner/telnet/telnet_login        

Combined with a wordlist from Seclists, and started attacking for almost 1 minute showing all the attacks going through, we then stopped, but you can see how no mechanisms were blocking them from here:?

Then we wanted to attack the other IP Camera, but using the FTP Service, we used first Nmap and after we saw the port was open, we attempted to perform anonymous login, and communicate directly with the device using Netcat, tftp and tcp packets, at the same time we also brute force this port using Metasploit, you will see 2 terminals, one showing the attack for FTP Login Sweep, and the second how we connected to the port and started listing:?

So, then we wanted to perform directory brute forcing on Port 83 which we saw and studied (You can see from the below reference) and from the manual, that Port 83 is not used unless you really have to, and this allowed us to successfully initiate the specific attack type. This will list all the directories, hidden but also this brute-force if left working for some time, would knock the device down, due to the hundreds of attempts or thousands of packets that can be sent by the attacker. We let this run for 5 minutes:?

Vulnerability (3): Vulnerable JavaScript dependency within the Hikvision IP Camera's JS Files

Weakness type:?

CWE-1104: Use of Unmaintained Third Party Components

Risk Description

The use of third-party JavaScript libraries can introduce a range of DOM-based vulnerabilities, including some that can be used to hijack user accounts like DOM-XSS.?

Common JavaScript libraries typically enjoy the benefit of being heavily audited. This may mean that bugs are quickly identified and patched upstream, resulting in a steady stream of security updates that need to be applied. Although it may be tempting to ignore updates, using a library with missing security patches can make your website exceptionally easy to exploit. Therefore, it's important to ensure that any available security updates are applied promptly.?

Some library vulnerabilities expose every application that imports the library, but others only affect applications that use certain library features. Accurately identifying which library vulnerabilities apply to your website can be difficult, so we recommend applying all available security updates regardless.????

Technical Analysis:

We observed a vulnerable JavaScript library. We detected angular JS version 1.2.0.min, which has the following vulnerabilities:?

CVE-2020-7676: XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.?

CVE-2020-7676: angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into un-sanitized one.?

Prototype pollution:

https://github.com/angular/angular.js/commit/726f49dcf6c23106ddaf5cfd5e2e592841db743a

https://github.com/angular/angular.js/blob/master/CHANGELOG.md#179-pollution-eradication-2019-11-19

The attribute use map can be used as a security exploit:

https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21

Universal CSP bypass via add-on in Firefox:

https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435

https://pastebin.com/raw/kGrdaypP

DOS in $sanitize:

https://github.com/angular/angular.js/blob/master/CHANGELOG.md

https://github.com/angular/angular.js/pull/15699

XSS in $sanitize in Safari/Firefox:

https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94

Proof of Concept (POC)

Request:

GET /doc/script/lib/angularjs/angularjs/angular-1.2.0.min.js?version=V4.0.1build170814 HTTP/1.

Host: XXX

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36

Accept: */*

Referer: https://XXX/doc/page/login.asp?_1651847976739

Accept-Encoding: gzip, deflate

Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

Connection: close
        

Response:

HTTP/1.1 200 O

Date: Fri, 06 May 2022 17:50:35 GMT

Server: DNVRS-Webs

ETag: "0-938-16255"

Content-Length: 90709

Content-Type: application/javascript

Connection: close

Last-Modified: Fri, 18 Aug 2017 09:50:21 GMT

/*

AngularJS v1.2.0rc1

(c) 2010-2012 Google, Inc. https://angularjs.org

License: MIT

*/

(function(T,N,v){'use strict';function M(a){return function(){for(var b=arguments[0],c=1,b="["+(a?a+":":"")+b+

...[SNIP]..        

Conclusion:

It is crucial for users to understand the sensitivity of any IoT device about the potential consequences of neglecting security measures.

In the real world, discovering a vulnerability is one thing, but being able to exploit it effectively to create a tangible impact is what sets skilled hackers apart.

Our examples demonstrate that a vulnerability poses no risk unless it can be exploited - and that we did.

By sharing these findings and promoting discussions within the Infosec community, we aim to empower the blue team and organizations to make informed decisions and choose reliable providers with the necessary skills to protect their infrastructure effectively.

At last, ensuring the security of your IoT devices goes beyond identifying vulnerabilities—it requires proactive measures and a comprehensive approach to safeguard your privacy and protect against potential Cyber threats.

Disclaimer:

The information provided by Black Hat Ethical Hacking and anyone associated with it is intended for Educational purposes only. The techniques discussed are meant to be used responsibly, with proper consent, and authorized access. The findings do not disclose any client information or information that is sensitive, its all well edited to keep only the necessary. BHEH and its members do not accept any responsibility for the misuse or illegal use of these techniques. It is essential to abide by applicable laws, regulations, and ethical guidelines when conducting any security assessments or penetration testing activities. Always seek proper authorization and obtain consent before performing any actions that may impact the security or privacy of systems and networks.