Last Updated: 2014-11-24 00:43:28 UTC
by Johannes Ullrich (Version: 1)
The "Internet of Things" is turning against us once more. Rapid 7 is reporting how Hikvision DVRs are vulnerable to at least 3 different remote code execution vulnerabilities. Metasploit modules are available to take advantage of them, a patch is not available.
All three vulnerabilities were found in the code dealing with RTSP requests. The vulnerabilities are simple buffer overflows.
Hikvision DVRs were already in the news earlier this year, when we found many of them being exploited by "The Moon" worm, bitcoin miners, and code scanning for Synology disk stations. Back then, the main exploit vector was the default root password of "12345" which never got changed.
At this point, device manufacturers just "don't get it". The vulnerabilities found in devices like the Hikvision DVRs are reminiscent of 90s operating systems and server vulnerabilities. Note that many devices are sold under various brandnames and Hikvision may not be the only vulnerable brand.