3/21/2021 0 Comments Hikvision Password Reset Tool
Most of the time, the manufacturers dont force secure passwords, and more often than not you can sign in with default passwords.Upon logging in for the first time with the password 12345, it forces you to change it.
Is this enough to stop attackers from accessing the device Turns out it isnt. ![]() I intercepted traffic with Burp Suite, and found out that when an user attempts to log in, an XHR GET request is made to an endpoint located at PSIACustomSelfExtuserCheck. The username and password itself are included as a basic authorization header. The request would return an XML document with a field, which returns 401 if the authentication fails and probably 200 if it succeeds. I also remembered that the pin could only contain digits, and was probably 5-6 digits long. Furthermore, theres no lockout if you enter a wrong pin too many times. Luckily, gaining root access to the device is easy once you have the admin password: You simply need to send a PUT request to an endpoint at ISAPISystemNetworktelnetd with the following data. BusyBox v1.16.1 (2014-05-19 09:41:10 CST) built-in shell (ash). This seemed to be what I was looking for considering its size, so I uploaded it to my PC using FTP and ran strings on it. Judging from the output of that alone, it seemed like this one binary was responsible for pretty much everything: Hosting the web frontend, backend, communicating with SADP, checking passwords, driving connected cameras, etc. There is also 12345, which is probably what the password gets reset to. ![]() Taking another look at the disassembly, it seems like the input is a string fetched from memory combined with the devices date formatted as stringyyyymmdd. ![]() Hikvision Reset Tool Serial In ThemI looked for strings with serial in them and found an XML response template. Sending a GET request to upnpdevicedesc.xml does indeed fetch us the serial number, and the devices local time is even included in the response headers - thats literally all we need to generate the code. We can now write a function, which generates the input for the keygen. Whats worse than that is the fact that it may create a false sense of security, which can be abused by an attacker with malicious intents to work unnoticably. While my script doesnt allow you to reset anyone elses password but your own, since you have to manually enter it in SADP which only lists local cameras, it would be trivial to reverse engineer the SADP tool and its communications with the devices, and create software to mass-exploit this vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |