O motor de pesquisa IoT, ZoomEye, armazenou em cache passwords de autenticação para dezenas de milhares de Dahua DVRs. A a descoberta foi feita pelo investigador de segurança Ankit Anubhav, Investigador Principal da NewSky Security.
Anubhav explicou que as passwords estão relacionadas a DVRs Dahua que executam firmware muito antigo que é conhecido por ser afetado por uma vulnerabilidade de cinco anos identificada como CVE-2013-6117.
Mesmo que a vulnerabilidade tenha sido corrigida, muitos dispositivos Dahua ainda estão executando um firmware antigo.
The CVE-2013-6117 was discovered by the security expert Jake Reynolds and affects Dahua DVR 2.608.0000.0 and 2.608.GV00.0. The flaw could be exploited by remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.
Um atacante precisa apenas iniciar uma conexão TCP em um Dahua DVR vulnerável na porta 37777 para enviar o exploit e executá-lo com sucesso.
Uma vez que o dispositivo Dahua receba esse código, ele responderá com credenciais DDNS para aceder o dispositivo e outros dados, tudo em texto sem qualquer tipo de formatação.
Just to make things clear to weaponize the exploit, one needs to connect to port 37777 on raw TCP + send the following message to get the ddns creds
“\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00” https://t.co/Z6I4uVp9sK
— Ankit Anubhav (@ankit_anubhav) July 13, 2018
Wow and how did I miss this.
13900+ of these devices have their password as “123456”
Check here https://t.co/1fSJX4KcWG#iot #security #failThis specific case was brought to my attention by another known botnet operator. So again, RIP to these devices. https://t.co/OAzmy7GnY8
— Ankit Anubhav (@ankit_anubhav) July 13, 2018
Anubhav explained that ZoomEye scans port 37777 caching the output in plaintext, this means that everyone that with a ZoomEye account can scrap results to obtain the credentials of tens of thousands
Anubhav notified the issue to ZoomEye asking it to remove the passwords from its cached results, but the expert is still waiting for a reply.
The expert explained that he discovered the issue after reading a post published by the author of the BrickerBot IoT malware that exploited the flaw to hacked hijack and brick Dahua DVRs in the past.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.