0day vulnerability (backdoor) in firmware for HiSilicon-based DVRs, NVRs and IP cameras
This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC. Described vulnerability allows attacker to gain root shell access and full control of device. Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is presented below.
Previous work and historical context
HiSilicon has a long track record of implementing backdoor access on their devices.
Earliest known versions of it had telnet access enabled with a static root password which can be recovered from firmware image with (relatively) little computation effort. This vulnerability was covered by previous author's article (in Russian) in 2013. In 2017 Istvan Toth did a most comprehensive analysis of HiSilicon firmware. He also discovered remote code execution vulnerability in the built-in webserver and many other vulnerabilities. It's worth noting that disclosure was ignored by vendor.
More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices.
This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC. Described vulnerability allows attacker to gain root shell access and full control of device. Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is presented below.
Previous work and historical context
HiSilicon has a long track record of implementing backdoor access on their devices.
Earliest known versions of it had telnet access enabled with a static root password which can be recovered from firmware image with (relatively) little computation effort. This vulnerability was covered by previous author's article (in Russian) in 2013. In 2017 Istvan Toth did a most comprehensive analysis of HiSilicon firmware. He also discovered remote code execution vulnerability in the built-in webserver and many other vulnerabilities. It's worth noting that disclosure was ignored by vendor.
More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices.