This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b0bed4eab8254eba08254eba08254eba08254eba0
Found HiSiliconDVR firmware: Hardware: General MBD6304T Vulnerable to multiple issues : LFI, possibly RCE
Open service 195.174.64.137:8080
2024-06-02 10:32
HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Connection: close Pragma: no-cache Content-Length: 3612 Page title: Residential Gateway Login <html> <head> <link rel="stylesheet" type="text/css" href="main.css" /> <link rel="stylesheet" type="text/css" href="text_security_min.css" /> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content='text/html; charset=windows-1252'> <title>Residential Gateway Login</title> <script language="JavaScript" src=main_en.js > </script> <script language="javascript"> <!-- hide me function ClickLogin() { window.document.login.LoginUserApply.value = 1; window.document.login.submit(); } --> </script> <style type="text/css"> <!-- body { background-image: url(bg1.gif); background-repeat: no-repeat; } #Layer1 { position:absolute; left:1px; top:0px; width:1047px; height:644px; z-index:1; } #Layer2 { position:absolute; left:58px; top:237px; width:583px; height:92px; z-index:2; } #Layer3 { position: absolute; left: 59px; top: 150px; width: 619px; height: 155px; z-index: 1; } .style3 {color: #212733} .style4 {color: #2C333D} body,td,th { color: #000; font-family: Arial, Helvetica, sans-serif; } #Layer { position:absolute; left:1px; top:2px; width:603px; height:140px; z-index:3; } #loginPwd { font-family: 'text_security_disc'; } .style2 {font-family: Arial, Helvetica, sans-serif} .style5 {color: #FFFFFF;} --> </style> <script type="text/javascript"> function MM_preloadImages() { //v3.0 var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array(); var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++) if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}} } </script> </head> <body onload="myLang();" text="#999999"> <table width="619" height="144" border="0"> <tr align="left"> <td> <a href=http://www.netmaster.com.tr/ target="_new"><img src="logo_1.gif" width="605" height="109" /></a> </td> </tr> </table> <div id="container" style="display: none;" > <div id="Layer3"> <form action=/goform/login method=POST name="login" autocomplete="off"> <input type="hidden" name="loginid" value=74019fd6ba0b1a03b6db0a085c956e48> <table class="style2"> <tr><td colspan=4 align="left" class="style5"><h1><span id='LoginTitle'>Login</span></h1></td></tr> <tr><td colspan=4 align="center"> </td></tr> <tr><td colspan=4 align=left> <strong><span id='SelectLang'>Language Selection</span></strong> <select name="LanguageType" size=1 onChange="submit()"> <option value=0 selected>Ingilizce<option value=4 >T�rk�e</select></td> <td> <span id="login_notify"> If you can't login with the current password, please reset your modem.</span> </td> </tr> <tr><td colspan=4 align="center"> </td></tr> <tr> <td><strong><span id='LoginUsername'>Username</span></strong></td> <td> <input type="text" name="loginUsername" style="width:180px;" maxlength="1020" value="" autocomplete="off" /> </td> </tr> <tr> <td><strong><span id='LoginPassword'>Password</span></strong></td> <td> <input type="text" id='loginPwd' name="loginPassword" style="width:180px;" maxlength="1020" autocomplete="off" value="" /> </td> </tr> <tr><td colspan=2 align="center"><input id='btnLogin' type="submit" value="Login" onclick="ClickLogin();"></td></tr> </table> <input type="hidden" name="LoginUserApply" value=0> <input name="EnterSubmit" type="submit" onclick="ClickLogin();" style="visibility: hidden;" /> </form> <!-- </td> </tr> <tr> <td width="100%" height="19" colspan="2" bgcolor=#66AA33> </td> </tr> </table> <p><font size="1"></font></p> --> </div> </div> </body> </html>
Open service 195.174.64.137:8080
2024-05-23 12:32
HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Connection: close Pragma: no-cache Content-Length: 3611 Page title: Residential Gateway Login <html> <head> <link rel="stylesheet" type="text/css" href="main.css" /> <link rel="stylesheet" type="text/css" href="text_security_min.css" /> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content='text/html; charset=windows-1254'> <title>Residential Gateway Login</title> <script language="JavaScript" src=main_tk.js > </script> <script language="javascript"> <!-- hide me function ClickLogin() { window.document.login.LoginUserApply.value = 1; window.document.login.submit(); } --> </script> <style type="text/css"> <!-- body { background-image: url(bg1.gif); background-repeat: no-repeat; } #Layer1 { position:absolute; left:1px; top:0px; width:1047px; height:644px; z-index:1; } #Layer2 { position:absolute; left:58px; top:237px; width:583px; height:92px; z-index:2; } #Layer3 { position: absolute; left: 59px; top: 150px; width: 619px; height: 155px; z-index: 1; } .style3 {color: #212733} .style4 {color: #2C333D} body,td,th { color: #000; font-family: Arial, Helvetica, sans-serif; } #Layer { position:absolute; left:1px; top:2px; width:603px; height:140px; z-index:3; } #loginPwd { font-family: 'text_security_disc'; } .style2 {font-family: Arial, Helvetica, sans-serif} .style5 {color: #FFFFFF;} --> </style> <script type="text/javascript"> function MM_preloadImages() { //v3.0 var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array(); var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++) if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}} } </script> </head> <body onload="myLang();" text="#999999"> <table width="619" height="144" border="0"> <tr align="left"> <td> <a href=http://www.netmaster.com.tr/ target="_new"><img src="logo_1.gif" width="605" height="109" /></a> </td> </tr> </table> <div id="container" style="display: none;" > <div id="Layer3"> <form action=/goform/login method=POST name="login" autocomplete="off"> <input type="hidden" name="loginid" value=64658b9e7bc129521e484dd2d15a9582> <table class="style2"> <tr><td colspan=4 align="left" class="style5"><h1><span id='LoginTitle'>Login</span></h1></td></tr> <tr><td colspan=4 align="center"> </td></tr> <tr><td colspan=4 align=left> <strong><span id='SelectLang'>Language Selection</span></strong> <select name="LanguageType" size=1 onChange="submit()"> <option value=0 >English<option value=4 selected>Turkish</select></td> <td> <span id="login_notify"> If you can't login with the current password, please reset your modem.</span> </td> </tr> <tr><td colspan=4 align="center"> </td></tr> <tr> <td><strong><span id='LoginUsername'>Username</span></strong></td> <td> <input type="text" name="loginUsername" style="width:180px;" maxlength="1020" value="" autocomplete="off" /> </td> </tr> <tr> <td><strong><span id='LoginPassword'>Password</span></strong></td> <td> <input type="text" id='loginPwd' name="loginPassword" style="width:180px;" maxlength="1020" autocomplete="off" value="" /> </td> </tr> <tr><td colspan=2 align="center"><input id='btnLogin' type="submit" value="Login" onclick="ClickLogin();"></td></tr> </table> <input type="hidden" name="LoginUserApply" value=0> <input name="EnterSubmit" type="submit" onclick="ClickLogin();" style="visibility: hidden;" /> </form> <!-- </td> </tr> <tr> <td width="100%" height="19" colspan="2" bgcolor=#66AA33> </td> </tr> </table> <p><font size="1"></font></p> --> </div> </div> </body> </html>