xxxx
tcp/443
This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b9ef7d2d583a0925683a0925683a0925683a09256
Found HiSiliconDVR firmware: Hardware: General TVI9708H_H Vulnerable to multiple issues : LFI, possibly RCE
Open service 85.105.187.197:443
2024-03-02 19:16
HTTP/1.1 200 OK Date: Sat, 02 Mar 2024 19:12:08 GMT Server: xxxx X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff Content-Security-Policy: default-src https: data: ws: wss: blob: 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:; frame-ancestors 'self'; X-XSS-Protection: 1; mode=block Content-Type: text/html;charset=utf-8 Expires: Wed, 31 Dec 1969 23:59:59 GMT Cache-Control: no-cache Pragma: no-cache Content-Length: 24690 Set-Cookie: JSESSIONID=skcnea0qhnqhcvwgkg591cbn239; Path=/userportal; Secure; HttpOnly Connection: close Page title: User Portal <!DOCTYPE HTML> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <html lang="en"> <head> <title>User Portal</title> <link href="/themes/lite1/css/typography.css?version=197aee944a8b954330df7f6ed8a563d3" rel="stylesheet" type="text/css" /> <link rel="stylesheet" href="/themes/lite1/css/loginstylesheet.css?ver=197aee944a8b954330df7f6ed8a563d3" type="text/css"> <LINK REL="ICON" HREF="/images/favicon.ico?ver=197aee944a8b954330df7f6ed8a563d3"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <script type="text/javascript" src="/javascript/validation/JavaConstants.js?ver=197aee944a8b954330df7f6ed8a563d3"></script> <script type="text/javascript" src="/javascript/validation/OEM.js?ver=197aee944a8b954330df7f6ed8a563d3"></script> </head> <script> var OWN_STATUS = "2"; var AUXILIARY = "1"; </script> <script> var isUserOAuth = false; </script> <body onload="document.forms[0].username.focus(); document.forms[0].username.select();initLogin();"> <noscript> <div align="center"> <h2>Your browser does not support JavaScript or it is disabled!<br>Without JavaScript support user portal will not work.</h2> </div> </noscript> <form onsubmit="return false;" method="post"> <input type="hidden" name="login_username" value="" > <input type=hidden name=mode value="1" > <div id="htmlData"> <div id="wrapper"> <div id="header"> <div class="language_select"> <select name="languageid" id="languageid" onchange="loadLanguageFile(this.value)"> <option value="10" >Brazilian-Portuguese</option> <option value="4" >Chinese-Simplified</option> <option value="3" >Chinese-Traditional</option> <option value="1" selected="selected">English</option> <option value="5" >French</option> <option value="7" >German</option> <option value="8" >Italian</option> <option value="6" >Japanese</option> <option value="9" >Korean</option> <option value="11" >Russian</option> <option value="12" >Spanish</option> </select> </div> </div> <div id="content-area"> <div id="sectionL" class="left"> <div class="login_form" id="credentialdiv"> <img src="/images/logo/group-small-on-dark.png?v=197aee944a8b954330df7f6ed8a563d3" alt="" style="border:0px;" /> <div class="login_detail" id="normalTBody" style="margin-bottom:8px"> <label id="Language.Username"></label> <input name="username" type="text" id="username" size="30" maxlength="60" /> <label id="Language.Password"></label> <input name="password" type="password" id="password" value="" size="30" autocomplete="off" maxlength="60" onFocus="if(this.value=='Password')this.value='';" /> <style type="text/css"> #sectionL .login_form { margin-top: 70px; margin-bottom: 0; } .captcha-container { float: left; } .captcha-container .img-wrapper { float: left; width: 100%; position: relative; } .captcha-container .img-wrapper img { width: 100%; border-radius: 3px; display: block; float: left; height: 60px; } .captcha-container #btnRefresh { display: block; width: 20px; background: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJQAAACQCAYAAADurULCAAAZ+klEQVR4Xu2de1wM3//HZ3dnuyqUcv3Qh/CRa9Y19bGRSxe3skI3UuleElLJh1Qk+dCFlNyFcimS6IaSokTJLYTS1z1R2nZn5vc4Pnx/fXzRbDs7O2XOPz0e7Zn3eZ/Xec6ZmXPe5xwGRCdaAQIVYBBoizZFKwDRQNEQEKoADRShctLGaKBoBghVgAaKUDlpYzRQNAOEKkADRa