ZoomEye IoT search engine cached login passwords for tens of thousands of Dahua DVRs
19.7.2018 securityaffairs IoT

A security researcher discovered that the IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs.
The IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs, the discovery was made by security researcher Ankit Anubhav, Principal Researcher at NewSky Security.

Dahua DVRs

Anubhav explained that the passwords are related to Dahua DVRs running very old firmware that is known to be affected by a five-year-old vulnerability tracked as CVE-2013-6117.

Even if the vulnerability has been patched, many Dahua devices are still running ancient firmware.

The CVE-2013-6117 was discovered by the security expert Jake Reynolds and affects Dahua DVR 2.608.0000.0 and 2.608.GV00.0. The flaw could be exploited by remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

An attacker just needs to initiate a raw TCP connection on a vulnerable Dahua DVR on port 37777 to send the exploit code that triggers the issue.

Once the Dahua device receives this code, it will respond with DDNS credentials for accessing the device, and other data, all in plaintext.

Ankit Anubhav
@ankit_anubhav
Just to make things clear to weaponize the exploit, one needs to connect to port 37777 on raw TCP + send the following message to get the ddns creds

"\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

Ankit Anubhav
@ankit_anubhav
Wow and how did I miss this.
13900+ of these devices have their password as "123456"
Check here https://goo.gl/S5G2Bh #iot #security #fail

This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices. https://twitter.com/ankit_anubhav/status/1017429425602822144

11:49 PM - Jul 13, 2018
51
31 people are talking about this
Twitter Ads info and privacy

Ankit Anubhav
@ankit_anubhav
Wow and how did I miss this.
13900+ of these devices have their password as "123456"
Check here https://goo.gl/S5G2Bh #iot #security #fail

This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices.

Ankit Anubhav
@ankit_anubhav
Replying to @ankit_anubhav
And of course, people here too have not failed to put extremely generic passwords.https://www.zoomeye.org/searchResult?q=%2Bport%3A%2237777%22%20%22admin123%22 270 devices have password as "admin123" lol.

Brickerbot is known to brick the devices he pwns, so it does not look like a happy ending for these devices. @GDI_FDN <end>

8:21 PM - Jul 13, 2018
16
See Ankit Anubhav's other Tweets
Twitter Ads info and privacy
Anubhav explained that ZoomEye scans port 37777 caching the output in plaintext, this means that everyone that with a ZoomEye account can scrap results to obtain the credentials of tens of thousands

Anubhav notified the issue to ZoomEye asking it to remove the passwords from its cached results, but the expert is still waiting for a reply.

The expert explained that he discovered the issue after reading a post published by the author of the BrickerBot IoT malware that exploited the flaw to hacked hijack and brick Dahua DVRs in the past.