Информационная безопасность
[RU] switch to English


Обход аутентификации в DVR Dahua
Опубликовано:18 ноября 2013 г.
Источник:
SecurityVulns ID:13403
Тип:удаленная
Уровень опасности:
5/10
Описание:В используемом протоколе TCP/37777 возможно выполнение команд без аутентификации.
CVE:CVE-2013-6117 (Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.)
 CVE-2013-3615 (Dahua DVR appliances use a password-hash algorithm with a short hash length, which makes it easier for context-dependent attackers to discover cleartext passwords via a brute-force attack.)
 CVE-2013-3614 (Dahua DVR appliances have a small value for the maximum password length, which makes it easier for remote attackers to obtain access via a brute-force attack.)
 CVE-2013-3613 (Dahua DVR appliances do not properly restrict UPnP requests, which makes it easier for remote attackers to obtain access via vectors involving a replay attack against the TELNET port.)
 CVE-2013-3612 (Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote attackers to obtain administrative access via authorization requests involving (a) ActiveX, (b) a standalone client, or (c) unknown other vectors.)
Оригинальный текстdocumentJake_(at)_depthsecurity.com, Dahua DVR Authentication Bypass - CVE-2013-6117 (18.11.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород