A number Hikvision digital video recorders contain vulnerabilities that an attacker could remotely exploit in order to gain full control of those devices.
According to a report written by the security firm Rapid7, Hikvision’s DVRs contain three fairly typical buffer overflows in the request handling code of their real-time streaming protocol. The company posted a Metasploit module demonstrating how to execute code remotely by exploiting one of the bugs last week.
Hikvision’s DVRs aren’t the kind you plug into your cable box to record television shows. They are designed to store recorded surveillance and security footage at office buildings and elsewhere. Rapid7 performed network scans to enumerate the number of vulnerable Hikvision devices, saying there are roughly 150,000 remotely accessible DVRs in the IPv4 address space. Rapid7 security researcher Mark Schloesser speculates that the popularity of these Hikvision devices could have to do with the company’s iPhone application, which allows customers to stream surveillance footage remotely.
The specific vulnerabilities are CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880 and they allow for the remote execution of arbitrary code without authentication by exploiting a buffer overflow in the RTSP request body, header and basic authentication handling. On an unrelated but relevant note, Schloesser points out that the devices also ship with a default username (admin) and a default password (‘12345’).
For the first bug (CVE-2014-4878), Schloesser explains, the RTSP request handler uses a fixed size buffer of 2048 bytes for consuming the HTTP request body, leading to a buffer overflow condition if you send a larger body. It can be exploited for code execution, but Rapid7’s proof-of-concept presents a denial-of-service attack.
For the second bug (CVE-2014-4879), the RTSP request handler uses fixed size buffers when parsing the HTTP headers, again leading to a buffer overflow condition if the user sends a large header key. In the write-up, Schloesser once more presents a denial-of-service proof while noting the bug could be exploited to run arbitrary code.
The final bug (CVE-2014-4880), for which Rapid7 developed their Metasploit module, a user could send a special crafted RTSP request triggering a buffer overflow when handling the “Basic Auth” header of a RTSP transaction.
“Due to this condition the request takes control of the remote instruction pointer and diverts execution to a series of ROP gadgets that pivot the stack to an area within the request packet itself in order to continue execution there,” Schloesser explains.
No authentication is required to exploit this vulnerability, Schloesser says, and the Metasploit module successfully demonstrates gaining full control of the remote device.
Rapid7 discovered and exploited these bugs on a Hikvision-DS-7204-HVI-SV digital video recorder device with firmware V2.2.10 build 131009. Other similar models are affected too, though Rapid7 has not performed exhaustive tests to make a full list of affected devices and versions. Schloesser discovered these bug and reported them to Hikvision on Sept. 15. He then disclosed them to the public Nov. 19.
Threatpost reached out to Hikvision for confirmation but they did not respond to a request for comment by the time of publication.
This isn’t Hikvision’s first security incident. As Johannes Ullrich of the SANS Institute Infosec Handlers Diary Blog notes and Threatpost has reported on in the past, researchers have witnessed Hikvision DVRs being exploited by “The Moon” worm, bitcoin miners, and code scanning for Synology disk stations. At that time, as Schloesser alludes to, the main exploit vector was the default root password of “12345” which never got changed.
“At this point, device manufacturers just don’t get it,” Ullrich writes. “The vulnerabilities found in devices like the Hikvision DVRs are reminiscent of 90s operating systems and server vulnerabilities. Note that many devices are sold under various brand names and Hikvision may not be the only vulnerable brand.”