{"uuid": "c8bff0e0-9af4-4ed5-b423-fe6b7a17d8fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-30563", "type": "published-proof-of-concept", "source": "https://t.me/tengkorakcybercrewz/21776", "content": "Hackers Arise IoT Hacking: How We Hacked the Dahua Cameras In Ukraine and Russia \nWelcome back, my aspiring cyberwarriors!\n\n\n\n\nAs you know, Hackers-Arise played a key role in the Ukrainian resistance  to Russia's brutal attack. We did many things to support Ukraine including attacking Russia's industrial infrastructure, DoS'ed the corporate and government websites, and trained hackers to protect Ukraine. What we may be most famous for is the hacking of IP cameras throughout Ukraine at the request of the Ukraine army to surveil Russian movements and war crimes in the country.\n\n\n\n\n\n\n\n\n\n\nHere is a small sampling of some of the pictures we captured.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nAt the time, we did not reveal our techniques (for obvious reasons) but that two years have passed and the vulnerability patched, we are ready to reveal to the world how we hacked so many cameras in both Ukraine and Russia!\n\n\n\n\nAs we revealed in earlier tutorials, we used default credentials for many of the cameras and brute forced the credentials for many others. This harvested about 15-20% of the cameras we targeted.  It's always important to try to get the \"low-hanging fruit\" first.The remaining 80% we were able to use two exploits, one that was a zero-day against Dahua cameras. \n\n\n\n\nLet's focus on that one.\n\n\n\n\nDahua Zero-Day\n\n\n\n\nDahua is a China-based IP camera manufacturer that is among the world's largest. Besides making cameras with their own name, they also private label cameras for many other re-sellers. Their cameras are literally all over the world!\n\n\n\n\nOn June 28, 2022, the good people at NIST announced a new vulnerability in the Dahua cameras and assigned it CVE-2022-30563 and gave it a base score of 7.8. They described the vulnerability as:\n\n\n\n\nWhen an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in through ONVIF, he can log in to the device by replaying the user's login packet.\n\n\n\n\nan article on SecurityAffairs.com described the vulnerability in a headline that read:\n\n\n\n\n\"A flaw in Dahua IP Cameras allows full take over of the devices\"\n\n\n\n\nThis was several months after we had been successfully exploiting this flaw in cameras in both Ukraine and Russia.\n\n\n\n\nWhat is ONVIF?\n\n\n\n\nONVIF is the Open Network Video Interface Forum. This is an open standard that is used in IP-based physical security products. ONVIF products allow access through a set of standardized API's. These API's allow the user to watch the video from the camera, unlock smart doors, and add users and passwords. ONVIF requests are transmitted through XML SOAP messages.\n\n\n\n\nThe ONVIF accepts, among other authentication mechanisms, WS-UsernameToken such as seen below.\n\n\n\n\nNote that the WS-UsernameToken accepts:\n\n\n\n\n1. \na username\n\n2. \na nonce\n\n3. \nCreated\n\n4. \npassword\n\n\n\n\n\nWS-UsernameToken then generates a Base64 digest. This helps to obscure this data, most importantly, the password from being intercepted an used in a MiTM attack. By incorporating the timestamp, it also prevents replay attacks.\n\n\n\n\n\n\n\n\n\n\nTo be successful, the attacker must first sniff a single unencrypted ONVIF request such as shown above. This is relatively easy as WS-UsernameToken is used by default on these devices and they use HTTP rather than HTTPS, so the transmission is unencrypted.\n\n\n\n\nNext, the attacker then forges a new CreateUsers request that adds a new user with admin privileges!\n\n\n\n\n\n\n\n\n\n\nOnce the new admin account has been created, the attacker can then simply login into the new account and take control of the device. This includes zoom, tilt and pan (if enabled) and deleting other accounts including other admin accounts.\n\n\n\n\n\n\n\n\n\n\n\n\n\nSummary\n\n\n\n\nInternet of Things devices are everywhere and in most cases their security[...]", "creation_timestamp": "2024-09-25T22:32:27.000000Z"}