Hikvision Digital Video Recorder Cross-Site Request Forgery

Title: Hikvision Digital Video Recorder Cross-Site Request Forgery
Advisory ID: ZSL-2016-5315
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.04.2016
Summary
Hikvision is the global leader of video surveillance products and solutions, manufactures a wide range of top-quality, reliable, and professional solutions.
Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Vendor
Hikvision Digital Technology Co., Ltd - http://www.hikvision.com
Affected Version
LV-D2104CS
DS-7316HFI-ST
DS-7216HVI-SV/A
DS-7208HVI-SH
DS-7204HVI-SH
Tested On
Hikvision-Webs
Vendor Status
[19.01.2016] Vulnerability discovered.
[30.01.2016] Vendor contacted.
[30.01.2016] Vendor responds asking more details.
[30.01.2016] Sent details to the vendor.
[01.02.2016] Vendor have issues reproducing.
[01.02.2016] Sent more details to the vendor.
[03.02.2016] Vendor working on the issue.
[05.02.2016] Asked vendor for status update.
[11.02.2016] No response from the vendor.
[12.02.2016] Asked vendor for status update.
[13.02.2016] Vendor scheduled patch release.
[18.02.2016] Working with the vendor.
[26.02.2016] Asked vendor for status update.
[26.02.2016] Vendor informs patch is still in development.
[01.03.2016] Vendor sends firmware DS-7208HVI-SH patch to ZSL for verification.
[01.03.2016] ZSL verifies fix.
[14.03.2016] Asked vendor for scheduled patch release date.
[14.03.2016] Vendor informs that firmware DS-7208HVI-SH is off production, the issue will be fixed in other products soon.
[08.04.2016] Public security advisory released.
PoC
hikvision_csrf.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://overseas.hikvision.com/europe/list01_435.html
[2] https://packetstormsecurity.com/files/136629
[3] https://cxsecurity.com/issue/WLB-2016040053
[4] https://www.exploit-db.com/exploits/39677/
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/112141
Changelog
[08.04.2016] - Initial release
[10.04.2016] - Added reference [2] and [3]
[11.04.2016] - Added reference [4]
[14.04.2016] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk