This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b92d3bae969cab2ea69cab2ea69cab2ea69cab2ea
Found HiSiliconDVR firmware: Hardware: General MBD9304D-F Vulnerable to multiple issues : LFI, possibly RCE
Open service 5.13.106.241:443
2024-06-15 01:35
HTTP/1.1 406 Not Acceptable Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'none' Content-Length: 116 X-Frame-Options: SAMEORIGIN Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly Connection: close Page title: 406 Not Acceptable <html><head><title>406 Not Acceptable</title></head><body><center><h1>406 Not Acceptable</h1></center></body></html>
Open service 5.13.106.241:443
2024-06-13 10:36
HTTP/1.1 406 Not Acceptable Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'none' Content-Length: 116 X-Frame-Options: SAMEORIGIN Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly Connection: close Page title: 406 Not Acceptable <html><head><title>406 Not Acceptable</title></head><body><center><h1>406 Not Acceptable</h1></center></body></html>