back to article Dahua IP cameras stung by Web interface bug

Chinese camera-maker Dahua has flicked out a patch to fix a possible remote code execution vulnerability in its Web admin interface. The company uses a Web interface named as “Sonia”* in this CERT advisory – and there's a stack buffer overflow to fix. Unpatched, the advisory states, various versions of the Dahua firmware don' …

  1. TheElder

    Shakes head...

    I can't believe they made such a mistake. We have known for a very very long time that it is not a good idea to try and stick something into a hole that is too long to fit in the hole.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shakes head...

      Well, I guess the code was written by guys with really short somethings, who never encountered a hole that is too short.

    2. Anonymous Coward
      Anonymous Coward

      Re: Shakes head...

      That's what she said.

      1. DropBear Silver badge
        Joke

        Re: Shakes head...

        This needs to be rectified immediately. Hollow strap-ons are to be issued to all Dahua code monkeys, stat!

  2. Anonymous Coward
    Anonymous Coward

    Binary blob

    Sonia (for dahua) and Sofia (for jufeng/xiongmai) is just the name of a binary blob that provides both the GUI and the web/proprietary interface to the dvr/NVR/ipc. This is the last thing the embedded Linux that is the OS of these devices runs as part of init script. They also provide certain backdoors (such as password reset capability).

    I am sure hikvision has a similar named blob running in their firmware but I never personally analysed their firmwares.

    You can extract these from their firmware downloads with the right tools. I can provide links... ;-)

    1. Arisia

      Re: Binary blob

      More info on Sofia here: http://marcusjenkins.com/hacking-cheap-ebay-ip-camera/

      So that'll be a hardcoded unchangeable admin password running on an undisclosed telnet service that can't be turned off.

      The simple rule with any of these cameras is not to expose them to the internet as they are mostly horribly insecure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Binary blob

        The simple rule with any of these cameras is not to expose them to the internet as they are mostly horribly insecure.

        Amen. That said, the fact that they appear to have started a "discover - create patch - notify" cycle is IMHO encouraging. It shows some may realise that doing it better keeps the sales going..

        1. DropBear Silver badge

          Re: Binary blob

          " It shows some may realise that doing it better keeps the sales going.."

          I'm not so sure about that - these are hardly deeply buried tricky bugs after all; they're there not so much due to a momentary lapse of concentration but rather due to not caring all that much. And if an entire industry seems to flaunt all security concerns openly like that, I wonder if the lesson they learned isn't in fact the opposite - "the cost of doing it right doesn't justify the difference in sales..."

      2. Anonymous Coward
        Anonymous Coward

        Re: Binary blob

        We use Hikvision, not Dahua (I've always seen them as the 'bargain/cheap knock off' alternative to Hikvision as their interfaces and GUI's always seem a bit 'fisher price' in comparison. (See also: SWANN)

        We don't ever expose cameras directly to the internet - Smaller deployments are 'plug and play' (go directly into the back of the NVR, it has a built-in switch) - The bigger ones are kept on a segregated physical network and/or a VLAN and accessible remotely via VPN.

        Unfortunately as with any trade, for every company who do things *properly*, there will be 10 'cowboys' following shortly behind who do things by half-measures.

  3. John Smith 19 Gold badge
    Unhappy

    Should I trust a field or field length supplied by an outside source?

    Should I f**k.

    Either could be wrong.

    Both could be wrong.

    Any field length should be treated as advisory, IE a possible lie.

    On the upside actually issuing an update patch is a start, so not a total fail.

    Let's see if they can keep the patches up.

    1. Daggerchild Silver badge

      Re: Should I trust a field or field length supplied by an outside source?

      Content-Length: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000........

      See also, Content-Encoding: gzip; dd if=/dev/zero | gzip -9c -

  4. Anonymous Coward
    Joke

    It's been fixed.....

    ...Max password length 4 characters.

    No uppercase, no special characters.

    Dictionary words only.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020