Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic
Description
Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing (shodan search: '"App-webs" "200 OK"'). Some of these devices can never be patched due to to the vendor preventing users from upgrading the installed firmware on the affected device. This module utilizes the bug in the authentication logic to perform an unauthenticated password change of any user account on a vulnerable Hikvision IP Camera. This can then be utilized to gain full administrative access to the affected device.
Author(s)
- Monte Crypto
- h00die-gr3y <h00die.gr3y@gmail.com>
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > show actions
...actions...
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > set ACTION < action-name >
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > show options
...show and set options...
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security