This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b2614d7eadcfbe2dbdcfbe2dbdcfbe2dbdcfbe2db
Found HiSiliconDVR firmware: Hardware: General NBD6804T-F Vulnerable to multiple issues : LFI, possibly RCE
Open service 1.55.172.212:80
2024-06-03 19:56
HTTP/1.1 200 OK CONNECTION: close Date: Tue, 04 Jun 2024 02:56:08 GMT Last-Modified: Fri, 21 Jun 2019 05:53:24 GMT Etag: "1561096404:55f6" CONTENT-LENGTH: 22006 P3P: CP=CAO PSA OUR X-Frame-Options: SAMEORIGIN CONTENT-TYPE: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=6;IE=7; IE=8; IE=EmulateIE7"> <script type="text/javascript" src="jsCore/echarts.js"></script> <script type="text/javascript" src="jsBase/lib/jquery.js"></script> <script type="text/javascript" src="debug/testPage.js"></script> <script type="text/javascript" src="jsBase/lib/jquery.pubsub.js"></script> <script type="text/javascript" src="jsBase/widget/js/jquery.ui.core.js"></script> <script type="text/javascript" src="jsBase/widget/js/jquery.ui.widget.js"></script> <script type="text/javascript" src="jsBase/widget/js/dui.colorpicker.js"></script> <script type="text/javascript">var $j = jQuery.noConflict();</script> <script type="text/javascript" src="jsBase/lib/base64.js"></script> <script type="text/javascript" src="jsBase/lib/md5.js"></script> <script type="text/javascript" src="jsBase/lib/m1.2.js"></script> <script type="text/javascript" src="jsBase/lib/more.js"></script> <script type="text/javascript" src="jsBase/common/extend.js"></script> <script type="text/javascript" src="jsCore/rpcCore.js"></script> <script type="text/javascript" src="jsBase/lib/sea.js"></script> <script type="text/javascript" src="jsBase/lib/seajs-text.js"></script> <script type="text/javascript" src="jsCore/common.js"></script> <script type="text/javascript" src="js/publicFunc.js"></script> <script type="text/javascript" src="js/system.js"></script> <script type="text/javascript" src="js/loginEx.js"></script> <script type="text/javascript" src="/pluginVersion.js"></script> <script type="text/javascript" src="js/eventScript.js"></script> <script type="text/javascript" src="Component/dui.pwdlevel.js"></script> <script type="text/javascript" src="jsBase/widget/js/dui.guide.js"></script> <script type="text/javascript" src="jsBase/widget/js/dui.textfield.js"></script> <script type="text/javascript">var g_NaclWin = null; var g_useApp = window.location.href.indexOf('fromWebChromeNACL') > 0; var g_deviceFind = ''; // which way is device support to find password ? var g_isDeviceInited = true; // whether device has been initialized ? try { window.addEventListener('message', function (e) { console.log('webview: ' + e.data) // console.log(e.origin) // console.log(e.source) if (e.data == 'domready') { g_NaclWin = e.source; window.alert = webViewAlert; var frames = window.frames; for(var i = 0;i < frames.length;i++){ frames[i].alert = webViewAlert; } console.log('send back') e.source.postMessage('domready', '*'); if(g_ocx) g_ocx.SetTranslateString(jsonLang); return; } // console.log(e.data.method) if (typeof window[e.data.method] == 'function') { window[e.data.method].apply(this, e.data.params); } else { g_ocx.messageFromOcx(e.data); } }, false); } catch (e) { } var g_ocx = 0; var webcapDefer = jQuery.Deferred(); seajs.config({ base: './jsBase', paths: { 'jsCore': '../jsCore', 'html':'../html', 'js':'../js' } }); seajs.use('/jsCore/app', function (App) { window.webApp = new App(); if(g_NaclWin) g_ocx.SetTranslateString(jsonLang); webApp.getWebCapAll().done(function(){ /*seajs.use('/Component/deviceInitial', function(){ });*/ webcapDefer.resolve(); }); jQuery(document).ready(function() { RPC.DevInit.getStatus().done(function(status){ if(status.Init == 1) { //uninitialized seajs.use('/Component/d