This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99bf30ea5eb22cca46022cca46022cca46022cca460
Found HiSiliconDVR firmware: Hardware: General AHB7008T-MHV2 Vulnerable to multiple issues : LFI, possibly RCE
Open service 45.239.149.1:80
2024-05-08 13:45
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> var ShowTipFlag=2; if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function reminder() { var nSel=$('langlist').selectedIndex; var cLanguage; switch(nSel) { case 0: cLanguage="English"; break; case 1: cLanguage="French"; break; case 2: cLanguage="Hungarian"; break; case 3: cLanguage="Italian"; break; case 4: cLanguage="Japanese"; break; case 5: cLanguage="Portugal"; break; case 6: cLanguage="Russian"; break; case 7: cLanguage="SimpChinese"; break; case 8: cLanguage="Spanish"; break; case 9: cLanguage="TradChinese"; break; case 10: cLanguage="German"; break; case 11: cLanguage="Poland"; break; case 12: cLanguage="Turkey"; break; case 13: cLanguage="Romanian"; break; case 14: cLanguage="Suomi"; break; case 15: cLanguage="Korean"; break; case 16: cLanguage="Farsi"; break; case 17: cLanguage="Thai"; break; case 18: cLanguage="Greek"; break; case 19: cLanguage="Vietnamese"; break; case 20: cLanguage="Brazilian"; break; case 21: cLanguage="Hebrew"; break; case 22: cLanguage="Arabic"; break; case 23: cLanguage="Bulgarian"; break; case 24: cLanguage="Czech"; break; case 25: cLanguage="Azerbaycan"; break; default: cLanguage="English"; break; } if(2==ShowTipFlag) { switch(nSel) { case 0: cLanguage="English"; alert("Please set the encrypted problem!"); break; case 7: cLanguage="SimpChinese"; alert("请先设置密保问题!"); break; default: cLanguage="English"; alert("Please set the encrypted problem!"); break; } } else { location="reminder.html?cLanguage="+cLanguage; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; }
Open service 45.239.149.1:80
2024-04-30 19:56
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> var ShowTipFlag=2; if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function reminder() { var nSel=$('langlist').selectedIndex; var cLanguage; switch(nSel) { case 0: cLanguage="English"; break; case 1: cLanguage="French"; break; case 2: cLanguage="Hungarian"; break; case 3: cLanguage="Italian"; break; case 4: cLanguage="Japanese"; break; case 5: cLanguage="Portugal"; break; case 6: cLanguage="Russian"; break; case 7: cLanguage="SimpChinese"; break; case 8: cLanguage="Spanish"; break; case 9: cLanguage="TradChinese"; break; case 10: cLanguage="German"; break; case 11: cLanguage="Poland"; break; case 12: cLanguage="Turkey"; break; case 13: cLanguage="Romanian"; break; case 14: cLanguage="Suomi"; break; case 15: cLanguage="Korean"; break; case 16: cLanguage="Farsi"; break; case 17: cLanguage="Thai"; break; case 18: cLanguage="Greek"; break; case 19: cLanguage="Vietnamese"; break; case 20: cLanguage="Brazilian"; break; case 21: cLanguage="Hebrew"; break; case 22: cLanguage="Arabic"; break; case 23: cLanguage="Bulgarian"; break; case 24: cLanguage="Czech"; break; case 25: cLanguage="Azerbaycan"; break; default: cLanguage="English"; break; } if(2==ShowTipFlag) { switch(nSel) { case 0: cLanguage="English"; alert("Please set the encrypted problem!"); break; case 7: cLanguage="SimpChinese"; alert("请先设置密保问题!"); break; default: cLanguage="English"; alert("Please set the encrypted problem!"); break; } } else { location="reminder.html?cLanguage="+cLanguage; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; }
Open service 45.239.149.1:80
2024-04-28 18:45
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> var ShowTipFlag=2; if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function reminder() { var nSel=$('langlist').selectedIndex; var cLanguage; switch(nSel) { case 0: cLanguage="English"; break; case 1: cLanguage="French"; break; case 2: cLanguage="Hungarian"; break; case 3: cLanguage="Italian"; break; case 4: cLanguage="Japanese"; break; case 5: cLanguage="Portugal"; break; case 6: cLanguage="Russian"; break; case 7: cLanguage="SimpChinese"; break; case 8: cLanguage="Spanish"; break; case 9: cLanguage="TradChinese"; break; case 10: cLanguage="German"; break; case 11: cLanguage="Poland"; break; case 12: cLanguage="Turkey"; break; case 13: cLanguage="Romanian"; break; case 14: cLanguage="Suomi"; break; case 15: cLanguage="Korean"; break; case 16: cLanguage="Farsi"; break; case 17: cLanguage="Thai"; break; case 18: cLanguage="Greek"; break; case 19: cLanguage="Vietnamese"; break; case 20: cLanguage="Brazilian"; break; case 21: cLanguage="Hebrew"; break; case 22: cLanguage="Arabic"; break; case 23: cLanguage="Bulgarian"; break; case 24: cLanguage="Czech"; break; case 25: cLanguage="Azerbaycan"; break; default: cLanguage="English"; break; } if(2==ShowTipFlag) { switch(nSel) { case 0: cLanguage="English"; alert("Please set the encrypted problem!"); break; case 7: cLanguage="SimpChinese"; alert("请先设置密保问题!"); break; default: cLanguage="English"; alert("Please set the encrypted problem!"); break; } } else { location="reminder.html?cLanguage="+cLanguage; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; }
Open service 45.239.149.1:8080
2024-04-25 23:56
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 45785 Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <head> <link rel="shortcut icon" type="image/x-icon" href="../img/favicon.ico"/> <link rel="stylesheet" href="../css/main.css"/> <link rel="stylesheet" href="../css/login.css"/> <link rel="stylesheet" href="../css/jquery.tpInput.css"/> <script src="../js/jquery-1.8.3.min.js" type="text/javascript"></script> <script src="../js/oid_str.js" type="text/javascript"></script> <script src="../js/lib.js" type="text/javascript"></script> <script type="text/javascript" src="../locale/language.js"></script> <script type="text/javascript" src="../js/locale.js"></script> <script type="text/javascript" src="../js/encrypt.js"></script> <script type="text/javascript" src="../js/jquery.tpInput.js"></script> <script src="../js/cryptoJS.min.js" type="text/javascript"></script> <script src="../js/tpEncrypt.js" type="text/javascript"></script> <script src="../js/gdprProxy.js" type="text/javascript"></script> </head> <body> <div id="cover" class="nd"></div> <div id="mask" class="mask"></div> <span class="load" style="display: none">for cache</span> <div id="pc-div"> <div id="pc-top"> <div id="pc-top-container"> <a id="pc-top-product" href="http://www.tp-link.com" target="_blank"> <span class="icon-logo"></span> </a> </div> </div> <div id="pc-scroll"> <div id="pc-arrowBg"></div> <div id="pc-main"> <div class="pc-login-content" id="pc-login"> <div id="pc-login-forget" class="nd"> <h4 id="pc-login-forget-title"></h4> <p id="pc-login-forget-text"></p> <div class="button-container"> <form class="pure-form"> <button type="submit" class="green T_save pure-button tp-btn-custom" id="pc-login-forget-back"> <span class="">Save</span></button> </form> </div> </div> <div id="pc-login-main"> <div class="pc-login-field nd" id="pc-login-user-div"> <div class="pc-inputarea"> <label class="pc-login-username-label"> <span class="icon"></span> <span class="text"></span> </label> <input type="text" id="pc-login-user" autocomplete="off"> </div> </div> <div class="pc-login-field"> <div class="pc-inputarea"> <label class="pc-login-password-label"> <span class="icon"></span> </label> <input type="password" id="pc-login-password" autocomplete="off"> <span class="pc-forgetPwd"><a href="#" id="pc-login-forgetPwd">For get password</a></span> </div> </div> <div> <div class="button-wrapper"> <button id="pc-login-btn" class="button-button" type="button"> <span class="text button-text">Log in</span> </button> <div class="button-error-tips widget-error-tips"> <div class="shadow-top-left"></div> <div class="shadow-top"></div> <div class="shadow-top-right"></div> <div class="shadow-left"> <div class="shadow-right"> <span class="widget-error-tips-delta"></span> <div class="widget-error-tips-wrap">
Open service 45.239.149.1:80
2024-04-25 15:57
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> var ShowTipFlag=2; if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function reminder() { var nSel=$('langlist').selectedIndex; var cLanguage; switch(nSel) { case 0: cLanguage="English"; break; case 1: cLanguage="French"; break; case 2: cLanguage="Hungarian"; break; case 3: cLanguage="Italian"; break; case 4: cLanguage="Japanese"; break; case 5: cLanguage="Portugal"; break; case 6: cLanguage="Russian"; break; case 7: cLanguage="SimpChinese"; break; case 8: cLanguage="Spanish"; break; case 9: cLanguage="TradChinese"; break; case 10: cLanguage="German"; break; case 11: cLanguage="Poland"; break; case 12: cLanguage="Turkey"; break; case 13: cLanguage="Romanian"; break; case 14: cLanguage="Suomi"; break; case 15: cLanguage="Korean"; break; case 16: cLanguage="Farsi"; break; case 17: cLanguage="Thai"; break; case 18: cLanguage="Greek"; break; case 19: cLanguage="Vietnamese"; break; case 20: cLanguage="Brazilian"; break; case 21: cLanguage="Hebrew"; break; case 22: cLanguage="Arabic"; break; case 23: cLanguage="Bulgarian"; break; case 24: cLanguage="Czech"; break; case 25: cLanguage="Azerbaycan"; break; default: cLanguage="English"; break; } if(2==ShowTipFlag) { switch(nSel) { case 0: cLanguage="English"; alert("Please set the encrypted problem!"); break; case 7: cLanguage="SimpChinese"; alert("请先设置密保问题!"); break; default: cLanguage="English"; alert("Please set the encrypted problem!"); break; } } else { location="reminder.html?cLanguage="+cLanguage; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; }
Open service 45.239.149.1:8080
2024-04-23 14:35
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 45785 Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <head> <link rel="shortcut icon" type="image/x-icon" href="../img/favicon.ico"/> <link rel="stylesheet" href="../css/main.css"/> <link rel="stylesheet" href="../css/login.css"/> <link rel="stylesheet" href="../css/jquery.tpInput.css"/> <script src="../js/jquery-1.8.3.min.js" type="text/javascript"></script> <script src="../js/oid_str.js" type="text/javascript"></script> <script src="../js/lib.js" type="text/javascript"></script> <script type="text/javascript" src="../locale/language.js"></script> <script type="text/javascript" src="../js/locale.js"></script> <script type="text/javascript" src="../js/encrypt.js"></script> <script type="text/javascript" src="../js/jquery.tpInput.js"></script> <script src="../js/cryptoJS.min.js" type="text/javascript"></script> <script src="../js/tpEncrypt.js" type="text/javascript"></script> <script src="../js/gdprProxy.js" type="text/javascript"></script> </head> <body> <div id="cover" class="nd"></div> <div id="mask" class="mask"></div> <span class="load" style="display: none">for cache</span> <div id="pc-div"> <div id="pc-top"> <div id="pc-top-container"> <a id="pc-top-product" href="http://www.tp-link.com" target="_blank"> <span class="icon-logo"></span> </a> </div> </div> <div id="pc-scroll"> <div id="pc-arrowBg"></div> <div id="pc-main"> <div class="pc-login-content" id="pc-login"> <div id="pc-login-forget" class="nd"> <h4 id="pc-login-forget-title"></h4> <p id="pc-login-forget-text"></p> <div class="button-container"> <form class="pure-form"> <button type="submit" class="green T_save pure-button tp-btn-custom" id="pc-login-forget-back"> <span class="">Save</span></button> </form> </div> </div> <div id="pc-login-main"> <div class="pc-login-field nd" id="pc-login-user-div"> <div class="pc-inputarea"> <label class="pc-login-username-label"> <span class="icon"></span> <span class="text"></span> </label> <input type="text" id="pc-login-user" autocomplete="off"> </div> </div> <div class="pc-login-field"> <div class="pc-inputarea"> <label class="pc-login-password-label"> <span class="icon"></span> </label> <input type="password" id="pc-login-password" autocomplete="off"> <span class="pc-forgetPwd"><a href="#" id="pc-login-forgetPwd">For get password</a></span> </div> </div> <div> <div class="button-wrapper"> <button id="pc-login-btn" class="button-button" type="button"> <span class="text button-text">Log in</span> </button> <div class="button-error-tips widget-error-tips"> <div class="shadow-top-left"></div> <div class="shadow-top"></div> <div class="shadow-top-right"></div> <div class="shadow-left"> <div class="shadow-right"> <span class="widget-error-tips-delta"></span> <div class="widget-error-tips-wrap">
Open service 45.239.149.1:80
2024-04-18 18:52
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> var ShowTipFlag=2; if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function reminder() { var nSel=$('langlist').selectedIndex; var cLanguage; switch(nSel) { case 0: cLanguage="English"; break; case 1: cLanguage="French"; break; case 2: cLanguage="Hungarian"; break; case 3: cLanguage="Italian"; break; case 4: cLanguage="Japanese"; break; case 5: cLanguage="Portugal"; break; case 6: cLanguage="Russian"; break; case 7: cLanguage="SimpChinese"; break; case 8: cLanguage="Spanish"; break; case 9: cLanguage="TradChinese"; break; case 10: cLanguage="German"; break; case 11: cLanguage="Poland"; break; case 12: cLanguage="Turkey"; break; case 13: cLanguage="Romanian"; break; case 14: cLanguage="Suomi"; break; case 15: cLanguage="Korean"; break; case 16: cLanguage="Farsi"; break; case 17: cLanguage="Thai"; break; case 18: cLanguage="Greek"; break; case 19: cLanguage="Vietnamese"; break; case 20: cLanguage="Brazilian"; break; case 21: cLanguage="Hebrew"; break; case 22: cLanguage="Arabic"; break; case 23: cLanguage="Bulgarian"; break; case 24: cLanguage="Czech"; break; case 25: cLanguage="Azerbaycan"; break; default: cLanguage="English"; break; } if(2==ShowTipFlag) { switch(nSel) { case 0: cLanguage="English"; alert("Please set the encrypted problem!"); break; case 7: cLanguage="SimpChinese"; alert("请先设置密保问题!"); break; default: cLanguage="English"; alert("Please set the encrypted problem!"); break; } } else { location="reminder.html?cLanguage="+cLanguage; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; }