This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99be00d7104014dcbe9014dcbe9014dcbe9014dcbe9
Found HiSiliconDVR firmware: Hardware: General NBD6808T-PL Vulnerable to multiple issues : LFI, possibly RCE
Open service 116.102.6.238:2222
2024-06-14 17:45
HTTP/1.1 200 OK CONNECTION: close Date: Sat, 15 Jun 2024 01:20:26 GMT Last-Modified: Thu, 24 Jan 2019 03:10:55 GMT Etag: "1548299455:7127" CONTENT-LENGTH: 28967 CACHE-CONTROL: max-age=0 X-Frame-Options: SAMEORIGIN CONTENT-TYPE: text/html <!DOCTYPE html> <html> <head> <title></title> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <script src="jsBase/lib/jquery.js?version=@WebVersion@"></script> <script src="jsBase/widget/js/jquery.ui.core.js?version=@WebVersion@"></script> <script src="jsBase/widget/js/jquery.ui.widget.js?version=@WebVersion@"></script> <script>jQuery.noConflict();</script> <script src="jsBase/lib/jquery.pubsub.js?version=@WebVersion@"></script> <script src="jsBase/common/extend.js?version=@WebVersion@"></script> <script type="text/javascript">// forced to add parameters,ensure the FF image loading do not fail var cssList = ['css/reset.css', 'css/ui.css', 'css/custom.css', 'css/skin.css', 'css/pictures.css','css/main.css', 'css/alarm.css', 'css/set.css', 'css/resize.css', 'css/playback.css', 'jsBase/widget/css/ui.css', 'jsBase/widget/css/skin.css', 'css/fn.css', 'css/thermal.css', 'jsBase/widget/css/colorpicker.css']; for (var i = 0; i < cssList.length; i++) { var lt = "?WebVersion=@WebVersion@"; //To solve the problem of css loading in ie7 8 if (!(jQuery.browser.ie7 || jQuery.browser.ie8)) { if (location.href.split('?')[1]) { lt += "&" + location.href.split('?')[1]; } } var cssNode = document.createElement("link"); cssNode.rel = 'stylesheet'; cssNode.type = "text/css"; cssNode.media = 'screen'; cssNode.href = cssList[i] + lt; var head = document.getElementsByTagName("head")[0] || document.documentElement; head.appendChild(cssNode); } cssList = null; lt = null;</script> </head> <body> <div id="login" class="login"> <div class="login-container"> <div class="login-content"> <div id="login_logo"></div> <div class="login-inputbox fn-clear"> <form autocomplete="off"> <div class="login-input-item"> <label t="sys.UserName+:" class="login-input-title"> </label> <input type="text" id="login_user" class="fn-width163 fn-mart3"> </div> <div class="login-input-item"> <label class="login-input-title" t="sys.Password+:"> </label> <input id="login_psw" type="password" maxlength="64" class="fn-width163 fn-mart3"> <a btn-for="onFindPwd" class="fn-hide login-input-item-FindPwd fn-ib fn-verticalbottom fn-lineh20 ellipsisNode fn-width110" t="sys.ForgetPassword" style="cursor: pointer" href="javascript:;"> </a> </div> <div class="login-input-item fn-hide"> <label class="ui-label fn-padl70"></label> <div class="fn-left fn-width165"> <ul class="ui-pwd-strength"> <li class="weak" t="com.Weak"> </li> <li class="middle" t="com.Middle"> </li> <li class="strong" t="com.Strong"> </li> </ul> </div> </div> <div class="login-input-item" id="login_type"> <label class="login-input-title" t="sys.UserType+:"> </label> <select class="fn-width169" id="login_selType"> <option value="Direct" t="sys.LocalUser"> </option> <option value="ActiveDirectory" t="sys.ADUser"> </option> <option value="LDAP" t="sys.LDAPUser"> </option> </select> </div> <div class="ui-button-box login-btnbox"> <a btn-for="onLogin" t="com.Login" class="u-button fn-width80" href="javascript:;"> </a> <a btn-for="onCancel" t="com.Cancel" class="u-button fn-width80" href="javascript:;"> </a> </div> </form> </div> </div> </div> <div id="device_init" class="u-dialog fn-width700" style="text-align:left"> <div class="u-dialog-head"> <h1 t="sys.DevInit"></h1> </div> <div class="u-dialog-content fn-clear fn-pad30"> <div class="ui-form-item"> <label class="ui-label fn-width170" t="sys.UserName"> </label> <div class="fn-left fn-width450"> <span class="ui-text">admin</span> </div> </div> <div class="ui-form-item"> <label class="ui-label fn-width170" t="sys.Password"> </label> <div> <input type="password" class="fn-mart2 fn-width320" data-pwd="pwdInit" name="newpwd" maxlength="32" onpaste="return false" oncontextmenu="return false"> <span class="u-input-error fn-ib fn-color-red"></span> </div> </div> <div class="ui-form-item"> <label class="ui-label fn-width170"></label> <div class="fn-left fn-width165"> <
Open service 116.102.6.238:2222
2024-06-13 12:45
HTTP/1.1 200 OK CONNECTION: close Date: Thu, 13 Jun 2024 20:20:04 GMT Last-Modified: Thu, 24 Jan 2019 03:10:55 GMT Etag: "1548299455:7127" CONTENT-LENGTH: 28967 CACHE-CONTROL: max-age=0 X-Frame-Options: SAMEORIGIN CONTENT-TYPE: text/html <!DOCTYPE html> <html> <head> <title></title> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <script src="jsBase/lib/jquery.js?version=@WebVersion@"></script> <script src="jsBase/widget/js/jquery.ui.core.js?version=@WebVersion@"></script> <script src="jsBase/widget/js/jquery.ui.widget.js?version=@WebVersion@"></script> <script>jQuery.noConflict();</script> <script src="jsBase/lib/jquery.pubsub.js?version=@WebVersion@"></script> <script src="jsBase/common/extend.js?version=@WebVersion@"></script> <script type="text/javascript">// forced to add parameters,ensure the FF image loading do not fail var cssList = ['css/reset.css', 'css/ui.css', 'css/custom.css', 'css/skin.css', 'css/pictures.css','css/main.css', 'css/alarm.css', 'css/set.css', 'css/resize.css', 'css/playback.css', 'jsBase/widget/css/ui.css', 'jsBase/widget/css/skin.css', 'css/fn.css', 'css/thermal.css', 'jsBase/widget/css/colorpicker.css']; for (var i = 0; i < cssList.length; i++) { var lt = "?WebVersion=@WebVersion@"; //To solve the problem of css loading in ie7 8 if (!(jQuery.browser.ie7 || jQuery.browser.ie8)) { if (location.href.split('?')[1]) { lt += "&" + location.href.split('?')[1]; } } var cssNode = document.createElement("link"); cssNode.rel = 'stylesheet'; cssNode.type = "text/css"; cssNode.media = 'screen'; cssNode.href = cssList[i] + lt; var head = document.getElementsByTagName("head")[0] || document.documentElement; head.appendChild(cssNode); } cssList = null; lt = null;</script> </head> <body> <div id="login" class="login"> <div class="login-container"> <div class="login-content"> <div id="login_logo"></div> <div class="login-inputbox fn-clear"> <form autocomplete="off"> <div class="login-input-item"> <label t="sys.UserName+:" class="login-input-title"> </label> <input type="text" id="login_user" class="fn-width163 fn-mart3"> </div> <div class="login-input-item"> <label class="login-input-title" t="sys.Password+:"> </label> <input id="login_psw" type="password" maxlength="64" class="fn-width163 fn-mart3"> <a btn-for="onFindPwd" class="fn-hide login-input-item-FindPwd fn-ib fn-verticalbottom fn-lineh20 ellipsisNode fn-width110" t="sys.ForgetPassword" style="cursor: pointer" href="javascript:;"> </a> </div> <div class="login-input-item fn-hide"> <label class="ui-label fn-padl70"></label> <div class="fn-left fn-width165"> <ul class="ui-pwd-strength"> <li class="weak" t="com.Weak"> </li> <li class="middle" t="com.Middle"> </li> <li class="strong" t="com.Strong"> </li> </ul> </div> </div> <div class="login-input-item" id="login_type"> <label class="login-input-title" t="sys.UserType+:"> </label> <select class="fn-width169" id="login_selType"> <option value="Direct" t="sys.LocalUser"> </option> <option value="ActiveDirectory" t="sys.ADUser"> </option> <option value="LDAP" t="sys.LDAPUser"> </option> </select> </div> <div class="ui-button-box login-btnbox"> <a btn-for="onLogin" t="com.Login" class="u-button fn-width80" href="javascript:;"> </a> <a btn-for="onCancel" t="com.Cancel" class="u-button fn-width80" href="javascript:;"> </a> </div> </form> </div> </div> </div> <div id="device_init" class="u-dialog fn-width700" style="text-align:left"> <div class="u-dialog-head"> <h1 t="sys.DevInit"></h1> </div> <div class="u-dialog-content fn-clear fn-pad30"> <div class="ui-form-item"> <label class="ui-label fn-width170" t="sys.UserName"> </label> <div class="fn-left fn-width450"> <span class="ui-text">admin</span> </div> </div> <div class="ui-form-item"> <label class="ui-label fn-width170" t="sys.Password"> </label> <div> <input type="password" class="fn-mart2 fn-width320" data-pwd="pwdInit" name="newpwd" maxlength="32" onpaste="return false" oncontextmenu="return false"> <span class="u-input-error fn-ib fn-color-red"></span> </div> </div> <div class="ui-form-item"> <label class="ui-label fn-width170"></label> <div class="fn-left fn-width165"> <
Open service 116.102.6.238:2222
2024-05-30 15:58
HTTP/1.1 200 OK CONNECTION: close Date: Thu, 30 May 2024 23:33:16 GMT Last-Modified: Thu, 24 Jan 2019 03:10:55 GMT Etag: "1548299455:7127" CONTENT-LENGTH: 28967 CACHE-CONTROL: max-age=0 X-Frame-Options: SAMEORIGIN CONTENT-TYPE: text/html <!DOCTYPE html> <html> <head> <title></title> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <script src="jsBase/lib/jquery.js?version=@WebVersion@"></script> <script src="jsBase/widget/js/jquery.ui.core.js?version=@WebVersion@"></script> <script src="jsBase/widget/js/jquery.ui.widget.js?version=@WebVersion@"></script> <script>jQuery.noConflict();</script> <script src="jsBase/lib/jquery.pubsub.js?version=@WebVersion@"></script> <script src="jsBase/common/extend.js?version=@WebVersion@"></script> <script type="text/javascript">// forced to add parameters,ensure the FF image loading do not fail var cssList = ['css/reset.css', 'css/ui.css', 'css/custom.css', 'css/skin.css', 'css/pictures.css','css/main.css', 'css/alarm.css', 'css/set.css', 'css/resize.css', 'css/playback.css', 'jsBase/widget/css/ui.css', 'jsBase/widget/css/skin.css', 'css/fn.css', 'css/thermal.css', 'jsBase/widget/css/colorpicker.css']; for (var i = 0; i < cssList.length; i++) { var lt = "?WebVersion=@WebVersion@"; //To solve the problem of css loading in ie7 8 if (!(jQuery.browser.ie7 || jQuery.browser.ie8)) { if (location.href.split('?')[1]) { lt += "&" + location.href.split('?')[1]; } } var cssNode = document.createElement("link"); cssNode.rel = 'stylesheet'; cssNode.type = "text/css"; cssNode.media = 'screen'; cssNode.href = cssList[i] + lt; var head = document.getElementsByTagName("head")[0] || document.documentElement; head.appendChild(cssNode); } cssList = null; lt = null;</script> </head> <body> <div id="login" class="login"> <div class="login-container"> <div class="login-content"> <div id="login_logo"></div> <div class="login-inputbox fn-clear"> <form autocomplete="off"> <div class="login-input-item"> <label t="sys.UserName+:" class="login-input-title"> </label> <input type="text" id="login_user" class="fn-width163 fn-mart3"> </div> <div class="login-input-item"> <label class="login-input-title" t="sys.Password+:"> </label> <input id="login_psw" type="password" maxlength="64" class="fn-width163 fn-mart3"> <a btn-for="onFindPwd" class="fn-hide login-input-item-FindPwd fn-ib fn-verticalbottom fn-lineh20 ellipsisNode fn-width110" t="sys.ForgetPassword" style="cursor: pointer" href="javascript:;"> </a> </div> <div class="login-input-item fn-hide"> <label class="ui-label fn-padl70"></label> <div class="fn-left fn-width165"> <ul class="ui-pwd-strength"> <li class="weak" t="com.Weak"> </li> <li class="middle" t="com.Middle"> </li> <li class="strong" t="com.Strong"> </li> </ul> </div> </div> <div class="login-input-item" id="login_type"> <label class="login-input-title" t="sys.UserType+:"> </label> <select class="fn-width169" id="login_selType"> <option value="Direct" t="sys.LocalUser"> </option> <option value="ActiveDirectory" t="sys.ADUser"> </option> <option value="LDAP" t="sys.LDAPUser"> </option> </select> </div> <div class="ui-button-box login-btnbox"> <a btn-for="onLogin" t="com.Login" class="u-button fn-width80" href="javascript:;"> </a> <a btn-for="onCancel" t="com.Cancel" class="u-button fn-width80" href="javascript:;"> </a> </div> </form> </div> </div> </div> <div id="device_init" class="u-dialog fn-width700" style="text-align:left"> <div class="u-dialog-head"> <h1 t="sys.DevInit"></h1> </div> <div class="u-dialog-content fn-clear fn-pad30"> <div class="ui-form-item"> <label class="ui-label fn-width170" t="sys.UserName"> </label> <div class="fn-left fn-width450"> <span class="ui-text">admin</span> </div> </div> <div class="ui-form-item"> <label class="ui-label fn-width170" t="sys.Password"> </label> <div> <input type="password" class="fn-mart2 fn-width320" data-pwd="pwdInit" name="newpwd" maxlength="32" onpaste="return false" oncontextmenu="return false"> <span class="u-input-error fn-ib fn-color-red"></span> </div> </div> <div class="ui-form-item"> <label class="ui-label fn-width170"></label> <div class="fn-left fn-width165"> <