This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b26470c9312755508127555081275550812755508
Found HiSiliconDVR firmware: Hardware: General NBD7904T-PL-XPOE Vulnerable to multiple issues : LFI, possibly RCE
Open service 31.184.251.19:80 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 302 Moved Temporarily Server: Web server Date: Thu, 25 Apr 2024 03:47:19 GMT Content-Type: text/html Content-Length: 143 Connection: close Location: https://13fded08810bb18b91f6d03b.keenetic.io/ Page title: 302 Found <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>Web server</center> </body> </html>
Open service 31.184.251.19:8443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 403 Forbidden Server: NDM NDNS Date: Thu, 25 Apr 2024 03:47:14 GMT Content-Type: text/html Content-Length: 975 Cache-Control: no-store, no-cache, max-age=0, private X-Detail: Access Denied (0x14) Set-Cookie: X-Detail=403 20; max-age=300 Connection: close Page title: Error <!DOCTYPE html> <html lang="en"> <head> <base href="https://static.keenetic.net/kdns201/"/> <link rel="shortcut icon" href="favicon.ico" /> <link rel="stylesheet" href="style.css" /> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700&subset=cyrillic" /> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <meta http-equiv="Referrer-Policy" content="origin-when-cross-origin" /> <meta http-equiv="Content-Security-Policy" content=" default-src 'self' https://static.keenetic.net/kdns201/ ; style-src 'self' 'unsafe-inline' https: ; font-src 'self' https: ; img-src 'self' data: 'unsafe-eval' 'unsafe-inline' https: ; script-src 'self' https://static.keenetic.net/kdns201/ ; " /> <script defer src="script.js"></script> <title>Error</title> </head> <body> <noscript>403</noscript> <main class="template" /> </body> </html>
Open service 2a00:ab00:603:45::19:80 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 302 Moved Temporarily Server: Web server Date: Thu, 25 Apr 2024 03:47:18 GMT Content-Type: text/html Content-Length: 143 Connection: close Location: https://13fded08810bb18b91f6d03b.keenetic.io/ Page title: 302 Found <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>Web server</center> </body> </html>
Open service 2a03:21c0:0:227::96:80 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 302 Moved Temporarily Server: Web server Date: Thu, 25 Apr 2024 03:47:18 GMT Content-Type: text/html Content-Length: 143 Connection: close Location: https://13fded08810bb18b91f6d03b.keenetic.io/ Page title: 302 Found <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>Web server</center> </body> </html>
Open service 185.162.93.96:8443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 403 Forbidden Server: NDM NDNS Date: Thu, 25 Apr 2024 03:47:14 GMT Content-Type: text/html Content-Length: 975 Cache-Control: no-store, no-cache, max-age=0, private X-Detail: Access Denied (0x14) Set-Cookie: X-Detail=403 20; max-age=300 Connection: close Page title: Error <!DOCTYPE html> <html lang="en"> <head> <base href="https://static.keenetic.net/kdns201/"/> <link rel="shortcut icon" href="favicon.ico" /> <link rel="stylesheet" href="style.css" /> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700&subset=cyrillic" /> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <meta http-equiv="Referrer-Policy" content="origin-when-cross-origin" /> <meta http-equiv="Content-Security-Policy" content=" default-src 'self' https://static.keenetic.net/kdns201/ ; style-src 'self' 'unsafe-inline' https: ; font-src 'self' https: ; img-src 'self' data: 'unsafe-eval' 'unsafe-inline' https: ; script-src 'self' https://static.keenetic.net/kdns201/ ; " /> <script defer src="script.js"></script> <title>Error</title> </head> <body> <noscript>403</noscript> <main class="template" /> </body> </html>
Open service 2a00:ab00:603:45::19:8443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 403 Forbidden Server: NDM NDNS Date: Thu, 25 Apr 2024 03:47:25 GMT Content-Type: text/html Content-Length: 975 Cache-Control: no-store, no-cache, max-age=0, private X-Detail: Access Denied (0x14) Set-Cookie: X-Detail=403 20; max-age=300 Connection: close Page title: Error <!DOCTYPE html> <html lang="en"> <head> <base href="https://static.keenetic.net/kdns201/"/> <link rel="shortcut icon" href="favicon.ico" /> <link rel="stylesheet" href="style.css" /> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700&subset=cyrillic" /> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <meta http-equiv="Referrer-Policy" content="origin-when-cross-origin" /> <meta http-equiv="Content-Security-Policy" content=" default-src 'self' https://static.keenetic.net/kdns201/ ; style-src 'self' 'unsafe-inline' https: ; font-src 'self' https: ; img-src 'self' data: 'unsafe-eval' 'unsafe-inline' https: ; script-src 'self' https://static.keenetic.net/kdns201/ ; " /> <script defer src="script.js"></script> <title>Error</title> </head> <body> <noscript>403</noscript> <main class="template" /> </body> </html>
Open service 31.184.251.19:443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 200 OK Server: Web server Date: Thu, 25 Apr 2024 03:47:15 GMT Content-Type: text/html Content-Length: 3371 Connection: close Expires: Thu, 25 Apr 2024 03:47:14 GMT Cache-Control: no-cache Ndm-Sysmode: router X-Frame-Options: DENY Ndm-Stage: 4 Page title: Keenetic Web <!doctype html><html ng-app="keenetic" ng-class="{ 'device_pc': $root.isBrowserForPC, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || $root.uiViewOverlap || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }" update-language=""><head><meta charset="utf-8"><title ng-bind="$root.title">Keenetic Web</title><meta name="description" content=""><meta name="robots" content="noindex,follow" w=""><base href="/"><meta name="apple-mobile-web-app-title" content="Keenetic Web"><meta name="application-name" content="Keenetic Web"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0"><meta name="MobileOptimized" content="320"><meta name="HandheldFriendly" content="true"><link rel="shortcut icon" type="image/x-icon" href="/assets/img/favicon.ico"><link rel="icon" type="image/png" sizes="32x32" href="/assets/img/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/assets/img/favicon-16x16.png"><link rel="apple-touch-icon" sizes="180x180" href="/assets/img/apple-touch-icon.png"><link rel="mask-icon" color="#3098d8" href="/assets/img/safari-pinned-tab.svg"><link rel="manifest" href="/assets/manifest.json"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><link rel="apple-touch-icon" href="/assets/img/android-chrome-192x192.png"><meta name="msapplication-config" content="/assets/browserconfig.xml"><meta name="msapplication-starturl" content="/"><meta name="msapplication-TileImage" content="/assets/img/android-chrome-512x512.png"><meta name="msapplication-TileColor" content="#2d405c"><meta name="theme-color" content="#ffffff"><style> .ng-cloak, [ng-cloak], [ng\:cloak] { display: none !important; } .noscript { text-align: center; max-width: 38rem; padding: 2rem; margin: auto; } </style><link rel="stylesheet" href="styles/vendor-c1e5da0eae.css"><link rel="stylesheet" href="styles/app-9fe7104aec.css"> <!-- sso-script /--> <!-- cors-meta /--> </head><body class="body body-text {{$root.bodyPageClass}}" ng-class="{ 'body--white': $root.isLoginPage, 'body__full-screen': $root.isAlertFullScreen, 'device_pc': $root.isBrowserForPC, 'macos': $root.isMacOs, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || ($root.isBrowserForPC && $root.uiViewOverlap) || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }"><ndm-layout><div ui-view="" class="ndm-ui-view {{$root.uiViewClass}}"></div></ndm-layout><!--staticjs:js--><!--endinject--><script src="scripts/vendor-0645220272.js"></script><!--staticangularjs:js--><!--endinject--><script src="scripts/app-82b913f556.js"></script><script type="text/javascript" src="/ndmConstants.js"></script><script type="text/javascript" src="/ndmComponents.js"></script><script type="text/javascript" src="/version.js"></script><script> if ('serviceWorker' in navigator) { navigator.serviceWorker.register('./service-worker.js') .catch(error => console.warn('Service worker register fail', error)); } </script><!--debug:js--><!--endinject--><noscript><div class="noscript"><h1>Please enable JavaScript support<br>in your browser</h1></div></noscript></body></html>
Open service 185.162.93.96:443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 200 OK Server: Web server Date: Thu, 25 Apr 2024 03:47:15 GMT Content-Type: text/html Content-Length: 3371 Connection: close Expires: Thu, 25 Apr 2024 03:47:14 GMT Cache-Control: no-cache Ndm-Sysmode: router X-Frame-Options: DENY Ndm-Stage: 4 Page title: Keenetic Web <!doctype html><html ng-app="keenetic" ng-class="{ 'device_pc': $root.isBrowserForPC, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || $root.uiViewOverlap || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }" update-language=""><head><meta charset="utf-8"><title ng-bind="$root.title">Keenetic Web</title><meta name="description" content=""><meta name="robots" content="noindex,follow" w=""><base href="/"><meta name="apple-mobile-web-app-title" content="Keenetic Web"><meta name="application-name" content="Keenetic Web"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0"><meta name="MobileOptimized" content="320"><meta name="HandheldFriendly" content="true"><link rel="shortcut icon" type="image/x-icon" href="/assets/img/favicon.ico"><link rel="icon" type="image/png" sizes="32x32" href="/assets/img/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/assets/img/favicon-16x16.png"><link rel="apple-touch-icon" sizes="180x180" href="/assets/img/apple-touch-icon.png"><link rel="mask-icon" color="#3098d8" href="/assets/img/safari-pinned-tab.svg"><link rel="manifest" href="/assets/manifest.json"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><link rel="apple-touch-icon" href="/assets/img/android-chrome-192x192.png"><meta name="msapplication-config" content="/assets/browserconfig.xml"><meta name="msapplication-starturl" content="/"><meta name="msapplication-TileImage" content="/assets/img/android-chrome-512x512.png"><meta name="msapplication-TileColor" content="#2d405c"><meta name="theme-color" content="#ffffff"><style> .ng-cloak, [ng-cloak], [ng\:cloak] { display: none !important; } .noscript { text-align: center; max-width: 38rem; padding: 2rem; margin: auto; } </style><link rel="stylesheet" href="styles/vendor-c1e5da0eae.css"><link rel="stylesheet" href="styles/app-9fe7104aec.css"> <!-- sso-script /--> <!-- cors-meta /--> </head><body class="body body-text {{$root.bodyPageClass}}" ng-class="{ 'body--white': $root.isLoginPage, 'body__full-screen': $root.isAlertFullScreen, 'device_pc': $root.isBrowserForPC, 'macos': $root.isMacOs, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || ($root.isBrowserForPC && $root.uiViewOverlap) || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }"><ndm-layout><div ui-view="" class="ndm-ui-view {{$root.uiViewClass}}"></div></ndm-layout><!--staticjs:js--><!--endinject--><script src="scripts/vendor-0645220272.js"></script><!--staticangularjs:js--><!--endinject--><script src="scripts/app-82b913f556.js"></script><script type="text/javascript" src="/ndmConstants.js"></script><script type="text/javascript" src="/ndmComponents.js"></script><script type="text/javascript" src="/version.js"></script><script> if ('serviceWorker' in navigator) { navigator.serviceWorker.register('./service-worker.js') .catch(error => console.warn('Service worker register fail', error)); } </script><!--debug:js--><!--endinject--><noscript><div class="noscript"><h1>Please enable JavaScript support<br>in your browser</h1></div></noscript></body></html>
Open service 185.162.93.96:80 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 302 Moved Temporarily Server: Web server Date: Thu, 25 Apr 2024 03:47:18 GMT Content-Type: text/html Content-Length: 143 Connection: close Location: https://13fded08810bb18b91f6d03b.keenetic.io/ Page title: 302 Found <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>Web server</center> </body> </html>
Open service 2a03:21c0:0:227::96:8443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 403 Forbidden Server: NDM NDNS Date: Thu, 25 Apr 2024 03:47:23 GMT Content-Type: text/html Content-Length: 975 Cache-Control: no-store, no-cache, max-age=0, private X-Detail: Access Denied (0x14) Set-Cookie: X-Detail=403 20; max-age=300 Connection: close Page title: Error <!DOCTYPE html> <html lang="en"> <head> <base href="https://static.keenetic.net/kdns201/"/> <link rel="shortcut icon" href="favicon.ico" /> <link rel="stylesheet" href="style.css" /> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700&subset=cyrillic" /> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <meta http-equiv="Referrer-Policy" content="origin-when-cross-origin" /> <meta http-equiv="Content-Security-Policy" content=" default-src 'self' https://static.keenetic.net/kdns201/ ; style-src 'self' 'unsafe-inline' https: ; font-src 'self' https: ; img-src 'self' data: 'unsafe-eval' 'unsafe-inline' https: ; script-src 'self' https://static.keenetic.net/kdns201/ ; " /> <script defer src="script.js"></script> <title>Error</title> </head> <body> <noscript>403</noscript> <main class="template" /> </body> </html>
Open service 2a03:21c0:0:227::96:443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 200 OK Server: Web server Date: Thu, 25 Apr 2024 03:47:23 GMT Content-Type: text/html Content-Length: 3371 Connection: close Expires: Thu, 25 Apr 2024 03:47:22 GMT Cache-Control: no-cache Ndm-Sysmode: router X-Frame-Options: DENY Ndm-Stage: 4 Page title: Keenetic Web <!doctype html><html ng-app="keenetic" ng-class="{ 'device_pc': $root.isBrowserForPC, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || $root.uiViewOverlap || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }" update-language=""><head><meta charset="utf-8"><title ng-bind="$root.title">Keenetic Web</title><meta name="description" content=""><meta name="robots" content="noindex,follow" w=""><base href="/"><meta name="apple-mobile-web-app-title" content="Keenetic Web"><meta name="application-name" content="Keenetic Web"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0"><meta name="MobileOptimized" content="320"><meta name="HandheldFriendly" content="true"><link rel="shortcut icon" type="image/x-icon" href="/assets/img/favicon.ico"><link rel="icon" type="image/png" sizes="32x32" href="/assets/img/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/assets/img/favicon-16x16.png"><link rel="apple-touch-icon" sizes="180x180" href="/assets/img/apple-touch-icon.png"><link rel="mask-icon" color="#3098d8" href="/assets/img/safari-pinned-tab.svg"><link rel="manifest" href="/assets/manifest.json"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><link rel="apple-touch-icon" href="/assets/img/android-chrome-192x192.png"><meta name="msapplication-config" content="/assets/browserconfig.xml"><meta name="msapplication-starturl" content="/"><meta name="msapplication-TileImage" content="/assets/img/android-chrome-512x512.png"><meta name="msapplication-TileColor" content="#2d405c"><meta name="theme-color" content="#ffffff"><style> .ng-cloak, [ng-cloak], [ng\:cloak] { display: none !important; } .noscript { text-align: center; max-width: 38rem; padding: 2rem; margin: auto; } </style><link rel="stylesheet" href="styles/vendor-c1e5da0eae.css"><link rel="stylesheet" href="styles/app-9fe7104aec.css"> <!-- sso-script /--> <!-- cors-meta /--> </head><body class="body body-text {{$root.bodyPageClass}}" ng-class="{ 'body--white': $root.isLoginPage, 'body__full-screen': $root.isAlertFullScreen, 'device_pc': $root.isBrowserForPC, 'macos': $root.isMacOs, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || ($root.isBrowserForPC && $root.uiViewOverlap) || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }"><ndm-layout><div ui-view="" class="ndm-ui-view {{$root.uiViewClass}}"></div></ndm-layout><!--staticjs:js--><!--endinject--><script src="scripts/vendor-0645220272.js"></script><!--staticangularjs:js--><!--endinject--><script src="scripts/app-82b913f556.js"></script><script type="text/javascript" src="/ndmConstants.js"></script><script type="text/javascript" src="/ndmComponents.js"></script><script type="text/javascript" src="/version.js"></script><script> if ('serviceWorker' in navigator) { navigator.serviceWorker.register('./service-worker.js') .catch(error => console.warn('Service worker register fail', error)); } </script><!--debug:js--><!--endinject--><noscript><div class="noscript"><h1>Please enable JavaScript support<br>in your browser</h1></div></noscript></body></html>
Open service 2a00:ab00:603:45::19:443 · 13fded08810bb18b91f6d03b.keenetic.io
2024-04-25 03:47
HTTP/1.1 200 OK Server: Web server Date: Thu, 25 Apr 2024 03:47:23 GMT Content-Type: text/html Content-Length: 3371 Connection: close Expires: Thu, 25 Apr 2024 03:47:22 GMT Cache-Control: no-cache Ndm-Sysmode: router X-Frame-Options: DENY Ndm-Stage: 4 Page title: Keenetic Web <!doctype html><html ng-app="keenetic" ng-class="{ 'device_pc': $root.isBrowserForPC, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || $root.uiViewOverlap || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }" update-language=""><head><meta charset="utf-8"><title ng-bind="$root.title">Keenetic Web</title><meta name="description" content=""><meta name="robots" content="noindex,follow" w=""><base href="/"><meta name="apple-mobile-web-app-title" content="Keenetic Web"><meta name="application-name" content="Keenetic Web"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0"><meta name="MobileOptimized" content="320"><meta name="HandheldFriendly" content="true"><link rel="shortcut icon" type="image/x-icon" href="/assets/img/favicon.ico"><link rel="icon" type="image/png" sizes="32x32" href="/assets/img/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/assets/img/favicon-16x16.png"><link rel="apple-touch-icon" sizes="180x180" href="/assets/img/apple-touch-icon.png"><link rel="mask-icon" color="#3098d8" href="/assets/img/safari-pinned-tab.svg"><link rel="manifest" href="/assets/manifest.json"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><link rel="apple-touch-icon" href="/assets/img/android-chrome-192x192.png"><meta name="msapplication-config" content="/assets/browserconfig.xml"><meta name="msapplication-starturl" content="/"><meta name="msapplication-TileImage" content="/assets/img/android-chrome-512x512.png"><meta name="msapplication-TileColor" content="#2d405c"><meta name="theme-color" content="#ffffff"><style> .ng-cloak, [ng-cloak], [ng\:cloak] { display: none !important; } .noscript { text-align: center; max-width: 38rem; padding: 2rem; margin: auto; } </style><link rel="stylesheet" href="styles/vendor-c1e5da0eae.css"><link rel="stylesheet" href="styles/app-9fe7104aec.css"> <!-- sso-script /--> <!-- cors-meta /--> </head><body class="body body-text {{$root.bodyPageClass}}" ng-class="{ 'body--white': $root.isLoginPage, 'body__full-screen': $root.isAlertFullScreen, 'device_pc': $root.isBrowserForPC, 'macos': $root.isMacOs, 'device_handheld': !$root.isBrowserForPC, 'no-scroll': $root.menuIsOpenOverlayed || ($root.isBrowserForPC && $root.uiViewOverlap) || ($root.isBrowserForPC && !$root.isInitialSetupWizard) }"><ndm-layout><div ui-view="" class="ndm-ui-view {{$root.uiViewClass}}"></div></ndm-layout><!--staticjs:js--><!--endinject--><script src="scripts/vendor-0645220272.js"></script><!--staticangularjs:js--><!--endinject--><script src="scripts/app-82b913f556.js"></script><script type="text/javascript" src="/ndmConstants.js"></script><script type="text/javascript" src="/ndmComponents.js"></script><script type="text/javascript" src="/version.js"></script><script> if ('serviceWorker' in navigator) { navigator.serviceWorker.register('./service-worker.js') .catch(error => console.warn('Service worker register fail', error)); } </script><!--debug:js--><!--endinject--><noscript><div class="noscript"><h1>Please enable JavaScript support<br>in your browser</h1></div></noscript></body></html>