Avtech 1.0
tcp/80
Linux 2.x
tcp/80
UPnP 1.0
tcp/80
This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b74b6d9e701d3b64c01d3b64c01d3b64c01d3b64c
Found HiSiliconDVR firmware: Hardware: General AHB7004T-MHV2 Vulnerable to multiple issues : LFI, possibly RCE
Open service 89.242.13.37:80
2024-03-03 14:41
HTTP/1.1 200 OK Date: Sun, 03 Mar 2024 15:02:14 GMT Server: Linux/2.x UPnP/1.0 Avtech/1.0 Connection: close Last-Modified: Tue, 26 Nov 2019 06:33:07 GMT Content-Type: text/html ETag: 227-54171-1574749987 Content-Length: 54171 Page title: Remote Surveillance, Any time & Any where <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link rel="icon" href="/nobody/favicon.ico" type="image/vnd.microsoft.icon" /> <link rel="shortcut icon" href="/nobody/favicon.ico" type="image/vnd.microsoft.icon" /> <link rel="bookmark" href="/nobody/favicon.ico" type="image/vnd.microsoft.icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="googlebot" content="nosnippet"> <meta name="robots" content="noarchive"> <title>Remote Surveillance, Any time & Any where</title> <style> body { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; font-family: "Century Gothic"; color: #fff; font-size: 19px; background-color: #333; } .BOX1 { position:absolute; left:50%; top:50%; margin-top:-225px; margin-left:-360px; visibility: visible; } .BOX2 { background-color: #333; color: #fff; text-align: center; padding: 12px; width: 100%; overflow: auto; height: auto; position: fixed; bottom: 0px; } a:hover { font-size: 100%; text-decoration: underline; font-weight: bold; } .input { font-family: "Century Gothic"; color: #666; background-color: #F0F0F0; margin: 1px; padding: 6px; border-top-style: none; border-right-style: none; border-bottom-style: none; border-left-style: none; width: 85px; font-size: 14px; } .button { font-family: "Century Gothic"; color: #FFFFFF; background-color: #0CF; padding: 6px; text-align: center; width: 170px; border: 1px inset #09F; border-radius: 28px; font-size: 14px; } .input_osg { font-family: "Century Gothic"; color: #666; background-color: #F0F0F0; height: 20px; margin: 1px; padding: 6px; text-align: center; width: 72px; font-size: 15px; border-top-style: none; border-right-style: none; border-bottom-style: none; border-left-style: none; } .button_osg { font-family: Century Gothic; width: 300px; background: #3498db; border: 1px inset #3498db; border-radius: 28px; color: #ffffff; font-size: 15px; padding: 6px; } .button_osg:hover { background: #3cb0fd; border: 1px inset #3cb0fd; } .font_note { font-size: 13px; } .round{ border-collapse: separate; border: 0px solid #333333; background-color: #F0F0F0; border-radius: 28px; } </style> <script language="JavaScript"> //Kelvin++ 2014-08-07 check is it opening from EZ server, then auto-login use ez.htm if(document.URL.indexOf("?a=") > 0){ location.href="/nobody/aplogin.htm?parameter="+Base64.encode(document.URL.split("?")[1])+"&InitPath=EZ_LOGIN"+"&rnd="+Math.random(); } /* ========== loginDevice.js ========== */ function getCookie(c_name){ if (document.cookie.length>0){ c_start=document.cookie.indexOf(c_name + "="); if (c_start!=-1){ c_start=c_start + c_name.length+1; c_end=document.cookie.indexOf(";",c_start); if (c_end==-1) c_end=document.cookie.length; return unescape(document.cookie.substring(c_start,c_end)); } } return ""; } function setCookie(c_name,value,expiredays){ var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays); document.cookie=c_name+ "=" +escape(value)+((expiredays==null) ? "" : ";expires="+exdate.toGMTString()); } function delCookie(name){ var exp = new Date(); exp.setTime(exp.getTime() - 1); var cval = getCookie(name); if(cval != null) document.cookie = name + "="+cval+";expires="+exp.toGMTString(); } function getURL(){ var a = document.URL.split("//"); a = (a[1] ? a[1] : a[0]).split("/"); return a[0]; } function getPort(){ urlArr = getURL().split(":"); if(urlArr.length == 1) return "80"; else return urlArr[1]; } var w = window.screen.availWidth; if(getCookie("ViewMode")!="Classic"){ if(w <= 800){//mobile screen width < 800 if(w > 320) location.href="/nobody/mobile480.htm?Login=Captcha"; else if(w <= 240) location.href=