Shakes head...
I can't believe they made such a mistake. We have known for a very very long time that it is not a good idea to try and stick something into a hole that is too long to fit in the hole.
Chinese camera-maker Dahua has flicked out a patch to fix a possible remote code execution vulnerability in its Web admin interface. The company uses a Web interface named as “Sonia”* in this CERT advisory – and there's a stack buffer overflow to fix. Unpatched, the advisory states, various versions of the Dahua firmware don' …
Sonia (for dahua) and Sofia (for jufeng/xiongmai) is just the name of a binary blob that provides both the GUI and the web/proprietary interface to the dvr/NVR/ipc. This is the last thing the embedded Linux that is the OS of these devices runs as part of init script. They also provide certain backdoors (such as password reset capability).
I am sure hikvision has a similar named blob running in their firmware but I never personally analysed their firmwares.
You can extract these from their firmware downloads with the right tools. I can provide links... ;-)
More info on Sofia here: http://marcusjenkins.com/hacking-cheap-ebay-ip-camera/
So that'll be a hardcoded unchangeable admin password running on an undisclosed telnet service that can't be turned off.
The simple rule with any of these cameras is not to expose them to the internet as they are mostly horribly insecure.
The simple rule with any of these cameras is not to expose them to the internet as they are mostly horribly insecure.
Amen. That said, the fact that they appear to have started a "discover - create patch - notify" cycle is IMHO encouraging. It shows some may realise that doing it better keeps the sales going..
" It shows some may realise that doing it better keeps the sales going.."
I'm not so sure about that - these are hardly deeply buried tricky bugs after all; they're there not so much due to a momentary lapse of concentration but rather due to not caring all that much. And if an entire industry seems to flaunt all security concerns openly like that, I wonder if the lesson they learned isn't in fact the opposite - "the cost of doing it right doesn't justify the difference in sales..."
We use Hikvision, not Dahua (I've always seen them as the 'bargain/cheap knock off' alternative to Hikvision as their interfaces and GUI's always seem a bit 'fisher price' in comparison. (See also: SWANN)
We don't ever expose cameras directly to the internet - Smaller deployments are 'plug and play' (go directly into the back of the NVR, it has a built-in switch) - The bigger ones are kept on a segregated physical network and/or a VLAN and accessible remotely via VPN.
Unfortunately as with any trade, for every company who do things *properly*, there will be 10 'cowboys' following shortly behind who do things by half-measures.
Should I f**k.
Either could be wrong.
Both could be wrong.
Any field length should be treated as advisory, IE a possible lie.
On the upside actually issuing an update patch is a start, so not a total fail.
Let's see if they can keep the patches up.