This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99bcb8e72f6fc184637fc184637fc184637fc184637
Found HiSiliconDVR firmware: Hardware: General MBD6016E-E Vulnerable to multiple issues : LFI, possibly RCE
Open service 59.127.155.11:82
2024-09-27 20:19
HTTP/1.0 200 OK Content-type: application/binary Server: uc-httpd 1.0.0 Expires: 0 <H1>Index of /mnt/web/</H1>
Open service 59.127.155.11:82
2024-09-25 20:48
HTTP/1.0 200 OK Content-type: application/binary Server: uc-httpd 1.0.0 Expires: 0 <H1>Index of /mnt/web/</H1>
Open service 59.127.155.11:82
2024-09-23 20:31
HTTP/1.0 200 OK Content-type: application/binary Server: uc-httpd 1.0.0 Expires: 0 <H1>Index of /mnt/web/</H1>
Open service 59.127.155.11:82
2024-09-15 21:06
HTTP/1.0 200 OK Content-type: application/binary Server: uc-httpd 1.0.0 Expires: 0 <H1>Index of /mnt/web/</H1>
Open service 59.127.155.11:82
2024-09-13 20:50
HTTP/1.0 200 OK Content-type: application/binary Server: uc-httpd 1.0.0 Expires: 0 <H1>Index of /mnt/web/</H1>
Open service 59.127.155.11:83
2024-09-12 01:12
HTTP/1.1 200 OK CONNECTION: close Date: Thu, 12 Sep 2024 09:12:31 GMT Last-Modified: Tue, 28 Nov 2017 11:06:57 GMT Etag: "1511867217:629b" CONTENT-LENGTH: 25243 CACHE-CONTROL: max-age=0 P3P: CP=CAO PSA OUR CONTENT-TYPE: text/html Page title: WEB SERVICE <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title>WEB SERVICE</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-cache,must_revalidate"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=6;IE=7; IE=8; IE=EmulateIE7"> <script type="text/javascript" src="jsBase/lib/jquery.js">jQuery.noConflict();</script> <script type="text/javascript" src="jsBase/widget/js/jquery.ui.core.js"></script> <script type="text/javascript" src="jsBase/widget/js/jquery.ui.widget.js"></script> <script type="text/javascript" src="jsBase/widget/js/dui.fisheye.js"></script> <script type="text/javascript" src="jsBase/lib/base64.js"></script> <script type="text/javascript" src="jsBase/lib/md5.js"></script> <script type="text/javascript" src="jsBase/lib/m1.2.js"></script> <script type="text/javascript" src="jsBase/lib/more.js"></script> <script type="text/javascript" src="jsCore/aes.js"></script> <script type="text/javascript" src="jsCore/rsa.js"></script> <script type="text/javascript" src="js/appAbility.js"></script> <script type="text/javascript" src="jsCore/common.js"></script> <script type="text/javascript" src="jsCore/rpcCore.js"></script> <script type="text/javascript" src="jsBase/lib/sea.js"></script> <script type="text/javascript" src="js/loginEx.js?version=82908"></script> <script type="text/javascript" src="js/publicFunc.js?version=82908"></script> <script type="text/javascript" src="js/system.js?version=82908"></script> <script type="text/javascript" src="/pluginVersion.js?version=82908"></script> <script type="text/javascript" src="/webVersion.js"></script> <script type="text/javascript" src="/olp.js?version=82908"></script> <script type="text/javascript" src="cap.js?version=82908"></script> <script type="text/javascript" src="Component/level.js?version=82908"></script> <script type="text/javascript" src="js/findPwd.js?version=82908"></script> <script type="text/javascript" src="js/deviceInitial.js?version=82908"></script> <script type="text/javascript" src="js/index.js?version=82908"></script> <script type="text/javascript" src="/js/pluginAdaptor.js?version=82908"></script> <script type="text/javascript" src="js/eventScript.js?version=82908"></script> <link href="favicon.ico" type="image/x-icon" rel="shortcut icon"> <link rel="stylesheet" type="text/css" href="/jsBase/widget/css/ui.css"> <link rel="stylesheet" type="text/css" href="/jsBase/widget/css/skin.css"> <link rel="stylesheet" type="text/css" href="/css/oem.css"> </head> <body onscroll="$('nav_margin').style.visibility = 'hidden'; $('nav_margin').style.visibility = 'visible'"> <div id="loading" class="J_load_dialog"> <p id="lab_loading" class="J_load_p" t="com_msg.loading activex"></p> </div> <div id="l" class="login"> <div class="login-container"> <div class="login-content"> <div class="login-logo" id="index_logo"></div> <div class="login-inputbox fn-clear"> <form> <div class="login-input-item"> <div class="login-username-icon"></div> <label class="login-input-title login_oem_username" t="com_str.username+: ">用户名</label> <input type="text" id="username" class="ui-input fn-width163 login_inputbox" onkeydown="if (event.keyCode==13) event.keyCode=9"> <div class="login-btnbox custom-btnbox"> <a id="ulgin" class="ui-button fn-width80" onclick="login()" href="javascript:;" t="com_str.login"></a> </div> </div> <div class="login-input-item"> <div class="login-password-icon"></div> <label class="login-input-title login_oem_password" id="paswd" t="com_str.password+: ">密码</label> <input type="password" autocomplete="off" style="display: none"> <input id="password" type="password" autocomplete="off" class="ui-input fn-width163 login_inputbox login_oem_top" maxlength="32" onkeydown="if (event.keyCode==13) login()"> <label id="forgetpw" t="secret.forget.pwd+?" style="width: auto;margin-top: 6px">Password: </label> <div class="login-btnbox custom-btnbox"> <a id="cancl" class="ui-button fn-wi
Open service 59.127.155.11:82
2024-09-11 21:16
HTTP/1.0 200 OK Content-type: application/binary Server: uc-httpd 1.0.0 Expires: 0 <H1>Index of /mnt/web/</H1>
Open service 59.127.155.11:82
2024-09-09 22:01
HTTP/1.0 200 OK Content-type: application/binary Server: uc-httpd 1.0.0 Expires: 0 <H1>Index of /mnt/web/</H1>
Open service 59.127.155.11:82
2024-09-07 21:05
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rOpera.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rChrome.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rSafari.exec(ua); if (match != null) { return { browser : match[2] || "", version : match[1] || "0" }; } if (match != null) { return { browser : "", version : "0" }; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; if (ipaddress == "") { ipaddress = "10.10.35.107"; //ipaddress = "10.10.35.107"; } var hostport=34568; var iLanguage=102; var numLanguage; var DownLoadAddr=""; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var g_bQS=false; var g_bSubQS1=true; var g_bSubQS2=true; var g_bSubQS3=true; var g_bSubQS4=false; var g_strSubQS4Name = ''; var g_bClose=false; var gHashCookie = new Hash.Cookie('NetSuveillanceWebCookie',{duration: 30}); var settings = { username:'', ocxlanguage:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseIn
Open service 59.127.155.11:82
2024-08-17 20:54
HTTP/1.0 200 OK Content-type: text/html Server: uc-httpd 1.0.0 Expires: 0 Page title: NETSurveillance WEB <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" type="text/css" media="screen" href="m.css" /> <title>NETSurveillance WEB</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(navigator.userAgent.indexOf('IE') < 0) { var userAgent = navigator.userAgent, rMsie = /(msie\s|trident.*rv:)([\w.]+)/, rFirefox = /(firefox)\/([\w.]+)/, rOpera = /(opera).+version\/([\w.]+)/, rChrome = /(chrome)\/([\w.]+)/, rSafari = /version\/([\w.]+).*(safari)/; var browserMatch = uaMatch(userAgent.toLowerCase()); if(browserMatch.browser!="IE") { location="Login.htm"; } } function uaMatch(ua) { var match = rMsie.exec(ua); if (match != null) { return { browser : "IE", version : match[2] || "0" }; } var match = rFirefox.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rOpera.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rChrome.exec(ua); if (match != null) { return { browser : match[1] || "", version : match[2] || "0" }; } var match = rSafari.exec(ua); if (match != null) { return { browser : match[2] || "", version : match[1] || "0" }; } if (match != null) { return { browser : "", version : "0" }; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; if (ipaddress == "") { ipaddress = "10.10.35.107"; //ipaddress = "10.10.35.107"; } var hostport=34568; var iLanguage=102; var numLanguage; var DownLoadAddr=""; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var g_bQS=false; var g_bSubQS1=true; var g_bSubQS2=true; var g_bSubQS3=true; var g_bSubQS4=false; var g_strSubQS4Name = ''; var g_bClose=false; var gHashCookie = new Hash.Cookie('NetSuveillanceWebCookie',{duration: 30}); var settings = { username:'', ocxlanguage:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseIn