This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b50b5542628c8f96728c8f96728c8f96728c8f967
Found HiSiliconDVR firmware: Hardware: General AHB7004T-LME-V3 Vulnerable to multiple issues : LFI, possibly RCE
Open service 116.58.224.83:443
2024-09-11 09:55
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'none' Content-Length: 82001 Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <head> <link rel="shortcut icon" type="image/x-icon" href="../img/favicon.ico"/> <link rel="stylesheet" href="../css/main.css"/> <link rel="stylesheet" href="../css/login.css"/> <link rel="stylesheet" href="../css/jquery.tpInput.css"/> <script src="../js/jquery-1.8.3.min.js" type="text/javascript"></script> <script src="../js/lib.js" type="text/javascript"></script> <script type="text/javascript" src="../locale/language.js"></script> <script type="text/javascript" src="../js/oid_str.js"></script> <script type="text/javascript" src="../js/locale.js"></script> <script type="text/javascript" src="../js/encrypt.js"></script> <script type="text/javascript" src="../js/jquery.tpInput.js"></script> <script type="text/javascript" src="../js/oid_str.js"></script> <script src="../js/cryptoJS.min.js" type="text/javascript"></script> <script src="../js/tpEncrypt.js" type="text/javascript"></script> <script src="../js/gdprProxy.js" type="text/javascript"></script> <style type="text/css"> #pc-login-vcode { padding: 0 0 0 30px; display: inline-block; border: 1px solid #ccc; border-radius: 4px; outline-color: #ffffff; -webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box; width: 120px; height: 32px; line-height: 32px; font-size: 12px; } #pc-refresh-code { line-height: 32px; text-decoration: underline; color: #4acbd6; white-space: nowrap; } #pc-verify-btn, #pc-clear-btn { /*border: none*/; border-radius: 5px; /*color: #fff;*/ height: 30px; /*line-height: 32px;*/ width: 60px; /*background-color: #4acbd6;*/ /*min-width: 90px;*/ /*padding: 8px 6px 9px;*/ cursor: pointer; box-sizing: border-box; } .button-verify-text { text-align: center; font-size: 14px; color: rgb(83, 74, 74); } #pc-vode { position: relative; display: inline-block; } </style> <!--[if lte IE 8]> <link href="./css/ie.css" rel="stylesheet" type="text/css"/> <style type="text/css"> .input-err-container .input-err-delta, #pc-scroll div.widget-error-tips span.widget-error-tips-delta { top: 4px; left: 96px; } .input-container .input-err-container, .button-error-tips { left: -11px; top: 30px; } .input-container .input-wrapper { background: url("../img/ie.png") no-repeat -250px -226px; border: none; width: 186px; height: 33px; } .input-container.err .input-wrapper { background-position: -219px -173px; border: none; } .input-container.focus .input-wrapper { background-position: 1px -225px; border: none; } button.button-button { background: url("../img/ie.png") no-repeat -255px -32px; } button.button-button:hover { background: url("../img/ie.png") no-repeat 0px -32px; } #pc-scroll div.widget-error-tips div.widget-error-tips-wrap, .input-err-container .input-err-content { border: 0; box-shadow: none; } .shadow-top { background: url("../img/ie-01.png") repeat-x 0 -5px; top: -13px;