It is reported that a backdoor that can take administrative authority to a network camera made in China



With the spread of IoT, which connects various things to the Internet, a large number of inexpensive smart speakers and network cameras manufactured by Chinese companies have come to market. However, in the past, vulnerabilities and backdoors were reported for devices made in China, and trust in security has been an issue. The existence of a backdoor that can be captured has been reported by YourChief .

Full disclosure: 0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras / Habr

0day vulnerability in firmware for HiSilicon-based DVRs, NVRs and IP cameras | Hacker News

GitHub-Snawoot / hisilicon-dvr-telnet: PoC materials for article

The backdoor reported this time sends a specific signal to a device such as a camera connected to the network, which can take control of the device and remotely control it via Telnet . Some devices with firmware from Xiongmai , a Chinese company, are targeted.

Hangzhou Xiongmai Technology Co., LTD.

In 2016, Xiongmai devices were reported to have been infected with malware because the user name and password remained the default in 2016.

Large-scale DDoS attack, security camera on springboard, Chinese manufacturer recalls-ITmedia Enterprise

Specific verification methods to enable backdoors have also been reported. Devices with backdoors originally have some

TCP ports open. Connect to that port and send the string 'OpenTelnet: OpenOnce'.

The device that received the character string returns a character string of “randNum: XXXXXXXX” containing a random 8 digit number, so after sending “randNum: XXXXXXXX” to the device, the number and backdoor Send the character string 'XXXXXXXX2wj9fsa2' that combines the default password '2wj9fsa2' of the device with the device.

If the authentication is successful, the device will respond with 'verify: OK'. Next, send the 'Telnet: OpenOnce' string to the device again, and the Telnet service starts on the device. After that, if you connect using Telnet as usual using the user name 'root' and password, you will be able to operate the device with administrator authority. The password of the root user has been found by analyzing the file extracted from the firmware using hashcat , and has been released along with the verification method.

There is also a program that can actually poke the back door.

GitHub-Snawoot / hisilicon-dvr-telnet: PoC materials for article

When the code is executed on the device, it operates as follows and gains administrator privileges.

[code] $ telnet
Trying ...
telnet: Unable to connect to remote host: Connection refused
$ ./hs-dvr-telnet 2wj9fsa2
Sent OpenTelnet: OpenOnce command.
randNum: 46930886
challenge = 469308862wj9fsa2
verify: OK
Open: OK
$ telnet
Trying ...
Connected to
Escape character is '^]'.
LocalHost login: root
Password: [/ code]

'If you are using a device with this backdoor, consider replacing it immediately. If replacement is difficult, isolate your device from the network.'

in Software,   Security, Posted by darkhorse_log