Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-7921 PoC — 多款Hikvision产品安全漏洞

Source
https://github.com/p4tq/hikvision_CVE-2017-7921_auth_bypass_config_decryptor
Associated Vulnerability
Title:多款Hikvision产品安全漏洞 (CVE-2017-7921)
Description:An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
Readme
# hikvision_CVE-2017-7921_auth_bypass_config_decryptor
This python file will decrypt the configurationFile used by hikvision cameras vulnerable to CVE-2017-7921.

https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0876.html/

# Description 

Hikvision IP Cameras Authentication Bypass (CVE-2017-7921)

Basically, hikvision cameras that are vulnerable to the CVE listed above, can have several routes exposed by using a simple base64 string supplied as an argument in the url. 

For example:

`/System/configurationFile?auth=YWRtaW46MTEK`

This would allow an unauthenticated user to download the config file for the camera which includes user information. This configuration file uses weak encryption and a static key by default.

The python script supplied, will decrypt this configuration file. 

I also supply a sample generated example configuration file for you to test. 

# How To Use

`./decrypt_configurationFile.py <nameofdownloadedconfig>`


# Dependencies:

`sudo python3 -m pip install pycryptodome`

**Tested on Ubunut 20.04 with python 3.8.5**
File Snapshot

 [4.0K]  /data/pocs/c19123c8e35a5556717d6fd850de15b26a71bec7
├── [867K]  configurationFile
├── [1.2K]  decrypt_configurationFile.py
├── [1.0K]  LICENSE
└── [1.0K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →