Hikvision Digital Video Recorder Cross-Site Request Forgery
Title: Hikvision Digital Video Recorder Cross-Site Request Forgery
Advisory ID: ZSL-2016-5315
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.04.2016
DS-7316HFI-ST
DS-7216HVI-SV/A
DS-7208HVI-SH
DS-7204HVI-SH
[30.01.2016] Vendor contacted.
[30.01.2016] Vendor responds asking more details.
[30.01.2016] Sent details to the vendor.
[01.02.2016] Vendor have issues reproducing.
[01.02.2016] Sent more details to the vendor.
[03.02.2016] Vendor working on the issue.
[05.02.2016] Asked vendor for status update.
[11.02.2016] No response from the vendor.
[12.02.2016] Asked vendor for status update.
[13.02.2016] Vendor scheduled patch release.
[18.02.2016] Working with the vendor.
[26.02.2016] Asked vendor for status update.
[26.02.2016] Vendor informs patch is still in development.
[01.03.2016] Vendor sends firmware DS-7208HVI-SH patch to ZSL for verification.
[01.03.2016] ZSL verifies fix.
[14.03.2016] Asked vendor for scheduled patch release date.
[14.03.2016] Vendor informs that firmware DS-7208HVI-SH is off production, the issue will be fixed in other products soon.
[08.04.2016] Public security advisory released.
[2] https://packetstormsecurity.com/files/136629
[3] https://cxsecurity.com/issue/WLB-2016040053
[4] https://www.exploit-db.com/exploits/39677/
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/112141
[10.04.2016] - Added reference [2] and [3]
[11.04.2016] - Added reference [4]
[14.04.2016] - Added reference [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5315
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.04.2016
Summary
Hikvision is the global leader of video surveillance products and solutions, manufactures a wide range of top-quality, reliable, and professional solutions.Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.Vendor
Hikvision Digital Technology Co., Ltd - http://www.hikvision.comAffected Version
LV-D2104CSDS-7316HFI-ST
DS-7216HVI-SV/A
DS-7208HVI-SH
DS-7204HVI-SH
Tested On
Hikvision-WebsVendor Status
[19.01.2016] Vulnerability discovered.[30.01.2016] Vendor contacted.
[30.01.2016] Vendor responds asking more details.
[30.01.2016] Sent details to the vendor.
[01.02.2016] Vendor have issues reproducing.
[01.02.2016] Sent more details to the vendor.
[03.02.2016] Vendor working on the issue.
[05.02.2016] Asked vendor for status update.
[11.02.2016] No response from the vendor.
[12.02.2016] Asked vendor for status update.
[13.02.2016] Vendor scheduled patch release.
[18.02.2016] Working with the vendor.
[26.02.2016] Asked vendor for status update.
[26.02.2016] Vendor informs patch is still in development.
[01.03.2016] Vendor sends firmware DS-7208HVI-SH patch to ZSL for verification.
[01.03.2016] ZSL verifies fix.
[14.03.2016] Asked vendor for scheduled patch release date.
[14.03.2016] Vendor informs that firmware DS-7208HVI-SH is off production, the issue will be fixed in other products soon.
[08.04.2016] Public security advisory released.
PoC
hikvision_csrf.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://overseas.hikvision.com/europe/list01_435.html[2] https://packetstormsecurity.com/files/136629
[3] https://cxsecurity.com/issue/WLB-2016040053
[4] https://www.exploit-db.com/exploits/39677/
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/112141
Changelog
[08.04.2016] - Initial release[10.04.2016] - Added reference [2] and [3]
[11.04.2016] - Added reference [4]
[14.04.2016] - Added reference [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
