Dahua Security Camera Backdoor Checker and the Story Behind It

On March 6, 2017, during a regular monitoring our specialists found on seclists a message from an independent researcher who reported problems in Dahua products. The user under the name mcw0 was convinced that this vulnerability, namely unauthenticated user management, was left by the manufacturer on purpose.Based on personal beliefs, the researcher decided to notify the community of the defect first and put all the details and exploits in public access.

He himself says that he does not like to listen to vendors requests to keep silent about the bugs found. However, despite this, mcw0 removed the proof of concept and gave the manufacturer 30 days to fix the vulnerability.The situation is aggravated by the fact that the software developed by Dahua is used by other companies, which in turn may not have enough resources to update their products.

Careful consideration of the github repository where the proof of concept was published showed that the exploit code was not completely removed and can be easily restored without waiting a month and without contacting the researcher. To completely delete a file from the history, you need to use the corresponding git (git rm and git rebase) functionality. A few days later the researcher, apparently noticing the oversight, completely removed the repository and created a new one, without any traces of exploit.

The exploit went to the IoTsploit laboratory for a thorough examination. All stages of operation were reproduced manually to understand the mechanics of breaking. The main bug was that the devices configuration file is available for download to any unauthorized user.

This is a very common mistake among IoT devices developers. A similar vulnerability was made in their time by developers from D-Link, Humax (CVE-20177315), Broadcom (CVE-20133690) and other companies.In the downloaded file you can find the entire list of device users and hashes of passwords.

Should the database leak, hashed passwords for their intended purpose should make it difficult for an attacker to gain access to the system. But in our case, the hash is sufficient due to the presence of another vulnerability such as pass-the-hash. The fact is that the desktop client for the web camera is authorized on the server not using a password, but using a hash of the password.

Thus, the exploit allows you to get into the system and perform camera management under the guise of a desktop client.All exploit code was completely rewritten and embedded in our authoring framework, IoTsploit scanner, available by subscription. In addition, we have developed a public tool to check any ip on the Internet for susceptibility to vulnerabilities.

This tool does not contain a payload, and therefore cannot damage the device being tested. The same tool we sent to check 23 thousand Dahua devices found in the search engine shodan.Also, there is an updated graph of the number of vulnerable devices in the public access.

The checker is here co/dahua/This research and the checker was made by IoTSploit Team (Gleb Ershov). Feel free to contact us at and visit our website at co/.