Foreign hackers found the Hikvision remote system XXE vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201680256
Type myhack58
Reporter 佚名
Modified 2016-10-17T00:00:00


IOT development and threats to security always go hand in hand。 Two months ago, I want to study network camera, and then on Amazon bought a relatively cheap, by Hikvision OEM production Elisa Live 720p HD IP Camera. When I was in the crack Elisa camera try to get the password information in the process, but stumbled upon Hikvision remote system to an XML external entity injection vulnerability XXE in. XXE Injection that XMLExternal Entity Injection,that is, XML external entity injection attack, the vulnerability is in the non-secure external Entity Data perform row processing when triggered by security issues. In XML1. 0 standard,XML document structure focusing on the definition of the entity(entity)this concept. Entities can be predefined in the document call,the entity identifier may access local or remote content. If in this process the introduction of a”malicious”source in the XML document after processing it may lead to information leak and other security issues. 1 the beginning of the study Generally speaking, most network cameras data to be uploaded to their system, that is, only the use of a web page or app via their cloud service platform in order to access the camera. I passed the camera to the Ethernet interface which is connected to the laboratory environment, perform network traffic monitoring. Because some equipment has built-in old or unsafe firmware, so if you want to do IOT device associated with the experiment, it is strongly recommended not to rush to put the device connected to the Internet. From Wireshark capture the traffic, found a couple of interesting packets: (1)Two unencrypted request call: ! (2)to the website www. hik-online. com to initiate a POST request of base64-encrypted data package was made after analysis (3)from Amazon S3 storage to download the update the Get request: ! 2 try to crack the Network Camera Use Nmap to scan the camera and found some open ports services, which include a login page, after try some Hikvision commonly used default username and password combination is not correct to log in. Later found, the password authentication of the controller by the http Digest authentication mechanism to protect, this is the firmware unique characteristics. Using binwalk and hiktools the firmware after the analysis, although didn't find any summary of the authentication information, but to extract some interesting things, such as/etc/passwd file, and wherein the root password hiklinux: the root:ToCOv8qxP13qs:0:0:root:/root/:/bin/sh ! The firmware after the upgrade, the camera of the SSH port becomes the closed state, so I can't use this point, can only try other way. 3 find the XXE vulnerability Back to the www. hik-online. com to initiate the request data packet, which is a Base64-encoded POST string, after decoding is a bunch of gibberish, of course, the camera is used to verify the server's password may be in the firmware, just need the time to analysis found. However, I'm from the Hikvision website unintentionally found this: If you find any vulnerability, 请联系 please do not disclose vulnerability details. This is a vulnerability reward project, well, let's study it a POST request. Since this is an XML POST request, I first try to use SYSTEM entity method to allow a remote website to reference local entity files, such as: ]> c>&b;c> But this method does not work, so I use the VPS remote incoming reference entity, a success! ]> c>&b;c> ! ! Figure: load external entity successfully it! This is interesting, since we can use SYSTEM entity way to load a reference to an external entity, it is possible by a malicious dtd file calls return the other website file, such as/etc/hosts file, etc. All these procedures are available through an easy to use automation tool XXEinjector to complete: ! OK, I can remote read on a site of any file, including/etc / shadow file, of course, will get this server root privileges. Moreover, Hikvision in the worldwide distribution of the other API server is also the presence of the XXE vulnerability and, ultimately, if obtaining these remote servers permission, and even shodan can search a large number of network cameras are security risks. Vulnerability report submission process: 2 0 1 6 years 8 month 6 days, to send the first email to the Hikvision Security Response Center HSRC) 2 0 1 6 years 8 on 1 6 May, the HSRC no response, after I sent an e-mail 2 0 1 6 years 9 month 6 days, back to Hikvision the market and the PR Department sent an e-mail 2 0 1 6 years 9 month 7 days, the HSRC to confirm the reception and asked to send more information 2 0 1 6 years 9 months 8 days, Hikvision fix the bug and asked me to re-test 2 0 1 6 9 2 5, as a reward, received a Hikvision a value of 6 to $ 9 network cameras