This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b74b6d9e701d3b64c01d3b64c01d3b64c01d3b64c
Found HiSiliconDVR firmware: Hardware: General AHB7004T-MHV2 Vulnerable to multiple issues : LFI, possibly RCE
Open service 1.52.215.125:80
2024-08-17 21:58
HTTP/1.1 200 OK CONNECTION: close Date: Sun, 18 Aug 2024 05:23:14 GMT Last-Modified: Tue, 28 May 2019 13:55:33 GMT Etag: "1559051733:beb" CONTENT-LENGTH: 3051 P3P: CP=CAO PSA OUR X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1;mode=block Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Type-Options: nosniff CONTENT-TYPE: text/html Page title: WEB SERVICE <!DOCTYPE HTML> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="UTF-8"> <title>WEB SERVICE</title> <link href="./baseProj/images/favicon.ico" type="image/x-icon" rel="shortcut icon"> <script src="ext/ext-all.js"></script> <script type="text/javascript" src="./projectPath.js"></script> <script type="text/javascript" src="/app/libs/require.js"></script> <script type="text/javascript" src="/app/jsCore/require-config.js"></script> <script type="text/javascript">Ext.onReady(function () { //启用缓存 Ext.Loader.setConfig({ "disableCaching": true, "paths":{ "basePath": BASEURL, //配置基础项目的文件路径 "projectPath": PROJECT_URL //配置定制项目的文件路径 } }); //定义项目的加载路径 var basePath = Ext.Loader.getPath('basePath'), projectPath = Ext.Loader.getPath('projectPath'); //设置类的地址路径 Ext.Loader.setPath({ "jsCore": "app/jsCore", 'component': "baseProj/js/component", 'js': 'baseProj/js', 'plugin': 'app/plugin', 'widget': 'baseProj/js/widget', 'baseCls':'app/baseCls', 'app': 'baseCls', //各个项目统一一个app 'customJs': projectPath+'js', // 非基线项目引用的js路径 'desktop':PROJ_MODULE.indexOf('desktop') != -1? projectPath+'js/desktop':basePath+'/js/desktop', //加载指定项目的Desktop.js 'data': PROJ_MODULE.indexOf('data') != -1 ? projectPath + 'data': basePath + '/data' //加载指定项目的数据文件 }); //桌面内容不可选择 Ext.getBody().unselectable(); require(['pubsub', 'core', 'extend', 'libs/qrcode', 'libs/jsonpath', 'libs/json2', 'libs/base64', 'libs/md5', 'libs/aes', 'libs/rsa', 'timeaxes/TimeAxes', 'timeaxes/TimeAxesAdaptor', 'timeaxes/TimeGridLayer', 'h5Player' ], function () { //载入必要的模块,字符串文件加载完成后,初始化和加载应用 Ext.require(['jsCore.Common'], function () { jsCore.Common.getJsonLanguage().done(function () { //自验问题修改:设备初始化界面,密码输入框输入时,报js错误,修改为先设置规则 jsCore.Common.setFieldVtype(); Ext.require(['baseCls.App']); //***密码输入框输入时,报js错误 END***// }); }); }); });</script> </head> <body></body> <script type="text/javascript" src="./pluginVersion.js"></script> <script type="text/javascript" src="./webVersion.js"></script> <script type="text/javascript" src="./cap.js"></script> </html>
Open service 1.52.215.125:80
2024-08-15 22:27
HTTP/1.1 200 OK CONNECTION: close Date: Fri, 16 Aug 2024 05:52:51 GMT Last-Modified: Tue, 28 May 2019 13:55:33 GMT Etag: "1559051733:beb" CONTENT-LENGTH: 3051 P3P: CP=CAO PSA OUR X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1;mode=block Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Type-Options: nosniff CONTENT-TYPE: text/html Page title: WEB SERVICE <!DOCTYPE HTML> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="UTF-8"> <title>WEB SERVICE</title> <link href="./baseProj/images/favicon.ico" type="image/x-icon" rel="shortcut icon"> <script src="ext/ext-all.js"></script> <script type="text/javascript" src="./projectPath.js"></script> <script type="text/javascript" src="/app/libs/require.js"></script> <script type="text/javascript" src="/app/jsCore/require-config.js"></script> <script type="text/javascript">Ext.onReady(function () { //启用缓存 Ext.Loader.setConfig({ "disableCaching": true, "paths":{ "basePath": BASEURL, //配置基础项目的文件路径 "projectPath": PROJECT_URL //配置定制项目的文件路径 } }); //定义项目的加载路径 var basePath = Ext.Loader.getPath('basePath'), projectPath = Ext.Loader.getPath('projectPath'); //设置类的地址路径 Ext.Loader.setPath({ "jsCore": "app/jsCore", 'component': "baseProj/js/component", 'js': 'baseProj/js', 'plugin': 'app/plugin', 'widget': 'baseProj/js/widget', 'baseCls':'app/baseCls', 'app': 'baseCls', //各个项目统一一个app 'customJs': projectPath+'js', // 非基线项目引用的js路径 'desktop':PROJ_MODULE.indexOf('desktop') != -1? projectPath+'js/desktop':basePath+'/js/desktop', //加载指定项目的Desktop.js 'data': PROJ_MODULE.indexOf('data') != -1 ? projectPath + 'data': basePath + '/data' //加载指定项目的数据文件 }); //桌面内容不可选择 Ext.getBody().unselectable(); require(['pubsub', 'core', 'extend', 'libs/qrcode', 'libs/jsonpath', 'libs/json2', 'libs/base64', 'libs/md5', 'libs/aes', 'libs/rsa', 'timeaxes/TimeAxes', 'timeaxes/TimeAxesAdaptor', 'timeaxes/TimeGridLayer', 'h5Player' ], function () { //载入必要的模块,字符串文件加载完成后,初始化和加载应用 Ext.require(['jsCore.Common'], function () { jsCore.Common.getJsonLanguage().done(function () { //自验问题修改:设备初始化界面,密码输入框输入时,报js错误,修改为先设置规则 jsCore.Common.setFieldVtype(); Ext.require(['baseCls.App']); //***密码输入框输入时,报js错误 END***// }); }); }); });</script> </head> <body></body> <script type="text/javascript" src="./pluginVersion.js"></script> <script type="text/javascript" src="./webVersion.js"></script> <script type="text/javascript" src="./cap.js"></script> </html>
Open service 1.52.215.125:80
2024-08-13 22:20
HTTP/1.1 200 OK CONNECTION: close Date: Wed, 14 Aug 2024 05:45:33 GMT Last-Modified: Tue, 28 May 2019 13:55:33 GMT Etag: "1559051733:beb" CONTENT-LENGTH: 3051 P3P: CP=CAO PSA OUR X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1;mode=block Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Type-Options: nosniff CONTENT-TYPE: text/html Page title: WEB SERVICE <!DOCTYPE HTML> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="UTF-8"> <title>WEB SERVICE</title> <link href="./baseProj/images/favicon.ico" type="image/x-icon" rel="shortcut icon"> <script src="ext/ext-all.js"></script> <script type="text/javascript" src="./projectPath.js"></script> <script type="text/javascript" src="/app/libs/require.js"></script> <script type="text/javascript" src="/app/jsCore/require-config.js"></script> <script type="text/javascript">Ext.onReady(function () { //启用缓存 Ext.Loader.setConfig({ "disableCaching": true, "paths":{ "basePath": BASEURL, //配置基础项目的文件路径 "projectPath": PROJECT_URL //配置定制项目的文件路径 } }); //定义项目的加载路径 var basePath = Ext.Loader.getPath('basePath'), projectPath = Ext.Loader.getPath('projectPath'); //设置类的地址路径 Ext.Loader.setPath({ "jsCore": "app/jsCore", 'component': "baseProj/js/component", 'js': 'baseProj/js', 'plugin': 'app/plugin', 'widget': 'baseProj/js/widget', 'baseCls':'app/baseCls', 'app': 'baseCls', //各个项目统一一个app 'customJs': projectPath+'js', // 非基线项目引用的js路径 'desktop':PROJ_MODULE.indexOf('desktop') != -1? projectPath+'js/desktop':basePath+'/js/desktop', //加载指定项目的Desktop.js 'data': PROJ_MODULE.indexOf('data') != -1 ? projectPath + 'data': basePath + '/data' //加载指定项目的数据文件 }); //桌面内容不可选择 Ext.getBody().unselectable(); require(['pubsub', 'core', 'extend', 'libs/qrcode', 'libs/jsonpath', 'libs/json2', 'libs/base64', 'libs/md5', 'libs/aes', 'libs/rsa', 'timeaxes/TimeAxes', 'timeaxes/TimeAxesAdaptor', 'timeaxes/TimeGridLayer', 'h5Player' ], function () { //载入必要的模块,字符串文件加载完成后,初始化和加载应用 Ext.require(['jsCore.Common'], function () { jsCore.Common.getJsonLanguage().done(function () { //自验问题修改:设备初始化界面,密码输入框输入时,报js错误,修改为先设置规则 jsCore.Common.setFieldVtype(); Ext.require(['baseCls.App']); //***密码输入框输入时,报js错误 END***// }); }); }); });</script> </head> <body></body> <script type="text/javascript" src="./pluginVersion.js"></script> <script type="text/javascript" src="./webVersion.js"></script> <script type="text/javascript" src="./cap.js"></script> </html>
Open service 1.52.215.125:80
2024-08-11 21:53
HTTP/1.1 200 OK CONNECTION: close Date: Mon, 12 Aug 2024 05:18:46 GMT Last-Modified: Tue, 28 May 2019 13:55:33 GMT Etag: "1559051733:beb" CONTENT-LENGTH: 3051 P3P: CP=CAO PSA OUR X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1;mode=block Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Type-Options: nosniff CONTENT-TYPE: text/html Page title: WEB SERVICE <!DOCTYPE HTML> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="UTF-8"> <title>WEB SERVICE</title> <link href="./baseProj/images/favicon.ico" type="image/x-icon" rel="shortcut icon"> <script src="ext/ext-all.js"></script> <script type="text/javascript" src="./projectPath.js"></script> <script type="text/javascript" src="/app/libs/require.js"></script> <script type="text/javascript" src="/app/jsCore/require-config.js"></script> <script type="text/javascript">Ext.onReady(function () { //启用缓存 Ext.Loader.setConfig({ "disableCaching": true, "paths":{ "basePath": BASEURL, //配置基础项目的文件路径 "projectPath": PROJECT_URL //配置定制项目的文件路径 } }); //定义项目的加载路径 var basePath = Ext.Loader.getPath('basePath'), projectPath = Ext.Loader.getPath('projectPath'); //设置类的地址路径 Ext.Loader.setPath({ "jsCore": "app/jsCore", 'component': "baseProj/js/component", 'js': 'baseProj/js', 'plugin': 'app/plugin', 'widget': 'baseProj/js/widget', 'baseCls':'app/baseCls', 'app': 'baseCls', //各个项目统一一个app 'customJs': projectPath+'js', // 非基线项目引用的js路径 'desktop':PROJ_MODULE.indexOf('desktop') != -1? projectPath+'js/desktop':basePath+'/js/desktop', //加载指定项目的Desktop.js 'data': PROJ_MODULE.indexOf('data') != -1 ? projectPath + 'data': basePath + '/data' //加载指定项目的数据文件 }); //桌面内容不可选择 Ext.getBody().unselectable(); require(['pubsub', 'core', 'extend', 'libs/qrcode', 'libs/jsonpath', 'libs/json2', 'libs/base64', 'libs/md5', 'libs/aes', 'libs/rsa', 'timeaxes/TimeAxes', 'timeaxes/TimeAxesAdaptor', 'timeaxes/TimeGridLayer', 'h5Player' ], function () { //载入必要的模块,字符串文件加载完成后,初始化和加载应用 Ext.require(['jsCore.Common'], function () { jsCore.Common.getJsonLanguage().done(function () { //自验问题修改:设备初始化界面,密码输入框输入时,报js错误,修改为先设置规则 jsCore.Common.setFieldVtype(); Ext.require(['baseCls.App']); //***密码输入框输入时,报js错误 END***// }); }); }); });</script> </head> <body></body> <script type="text/javascript" src="./pluginVersion.js"></script> <script type="text/javascript" src="./webVersion.js"></script> <script type="text/javascript" src="./cap.js"></script> </html>
Open service 1.52.215.125:80
2024-08-09 22:39
HTTP/1.1 200 OK CONNECTION: close Date: Sat, 10 Aug 2024 06:04:10 GMT Last-Modified: Tue, 28 May 2019 13:55:33 GMT Etag: "1559051733:beb" CONTENT-LENGTH: 3051 P3P: CP=CAO PSA OUR X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1;mode=block Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' X-Content-Type-Options: nosniff CONTENT-TYPE: text/html Page title: WEB SERVICE <!DOCTYPE HTML> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="UTF-8"> <title>WEB SERVICE</title> <link href="./baseProj/images/favicon.ico" type="image/x-icon" rel="shortcut icon"> <script src="ext/ext-all.js"></script> <script type="text/javascript" src="./projectPath.js"></script> <script type="text/javascript" src="/app/libs/require.js"></script> <script type="text/javascript" src="/app/jsCore/require-config.js"></script> <script type="text/javascript">Ext.onReady(function () { //启用缓存 Ext.Loader.setConfig({ "disableCaching": true, "paths":{ "basePath": BASEURL, //配置基础项目的文件路径 "projectPath": PROJECT_URL //配置定制项目的文件路径 } }); //定义项目的加载路径 var basePath = Ext.Loader.getPath('basePath'), projectPath = Ext.Loader.getPath('projectPath'); //设置类的地址路径 Ext.Loader.setPath({ "jsCore": "app/jsCore", 'component': "baseProj/js/component", 'js': 'baseProj/js', 'plugin': 'app/plugin', 'widget': 'baseProj/js/widget', 'baseCls':'app/baseCls', 'app': 'baseCls', //各个项目统一一个app 'customJs': projectPath+'js', // 非基线项目引用的js路径 'desktop':PROJ_MODULE.indexOf('desktop') != -1? projectPath+'js/desktop':basePath+'/js/desktop', //加载指定项目的Desktop.js 'data': PROJ_MODULE.indexOf('data') != -1 ? projectPath + 'data': basePath + '/data' //加载指定项目的数据文件 }); //桌面内容不可选择 Ext.getBody().unselectable(); require(['pubsub', 'core', 'extend', 'libs/qrcode', 'libs/jsonpath', 'libs/json2', 'libs/base64', 'libs/md5', 'libs/aes', 'libs/rsa', 'timeaxes/TimeAxes', 'timeaxes/TimeAxesAdaptor', 'timeaxes/TimeGridLayer', 'h5Player' ], function () { //载入必要的模块,字符串文件加载完成后,初始化和加载应用 Ext.require(['jsCore.Common'], function () { jsCore.Common.getJsonLanguage().done(function () { //自验问题修改:设备初始化界面,密码输入框输入时,报js错误,修改为先设置规则 jsCore.Common.setFieldVtype(); Ext.require(['baseCls.App']); //***密码输入框输入时,报js错误 END***// }); }); }); });</script> </head> <body></body> <script type="text/javascript" src="./pluginVersion.js"></script> <script type="text/javascript" src="./webVersion.js"></script> <script type="text/javascript" src="./cap.js"></script> </html>