CVE-2013-3612
published 2013-09-17CVE-2013-3612: Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote attackers…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.30%
95.1th percentile
Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote attackers to obtain administrative access via authorization requests involving (a) ActiveX, (b) a standalone client, or (c) unknown other vectors.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xa1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xb1\x00\x00\x58\x00\x00\x00\x00
bytes↗
\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\xa6\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\x60\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
- →Detect unauthenticated binary protocol probes to TCP/37777 — the default Dahua DVR administrative service port. The initial probe packet begins with byte \xa1 followed by 31 null bytes (32 bytes total); a genuine DVR responds with the 8-byte signature \xb1\x00\x00\x58\x00\x00\x00\x00. ↗
- →Alert on connections to TCP/37777 that are NOT preceded by a successful authentication exchange — the vulnerability allows all commands to be replayed without authentication. ↗
- →Monitor for the known hardcoded/default password hashes on TCP/37777: '4WzwxXxM' (for account 888888), 'sh15yfFM' (for account 666666), and '6QNMIQGe' (for account admin) appearing in traffic to/from Dahua DVR devices. ↗
- →Flag inbound telnet connections to Dahua DVR devices — devices listen for telnet by default with a static, publicly known root password. ↗
- →Detect the 'config' string (bytes \x63\x6f\x6e\x66\x69\x67) at offset 8 in 32-byte binary requests to TCP/37777, which is characteristic of unauthenticated config-dump commands (email, DDNS, NAS settings retrieval). ↗
- →Presence of the ActiveX control 'webrec.cab' being loaded in a browser may indicate a Dahua DVR web interface is being accessed; correlate with subsequent TCP/37777 connections for exploitation attempts. ↗
- ·The administrative service port TCP/37777 is configurable and may be changed from the default on some deployments; scanning/detection rules should account for non-default ports. ↗
- ·The revolving backdoor account password is a simple date hash, meaning its value changes over time and cannot be treated as a static IOC. ↗
- ·The vulnerability affects Dahua-rebranded DVRs in addition to first-party Dahua devices; detections should not be limited to devices explicitly identified as Dahua-branded. ↗
- ·Passwords on affected devices are limited to 6 characters, which significantly reduces the keyspace for any credential-based detection or brute-force scenarios. ↗
- ·The DVR password hashing algorithm is a weak 48-bit hash; hashes observed in traffic should not be assumed to represent strong credential protection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3c7g-8x9w-wjqp: Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote at
ghsa_unreviewed·2022-05-17
CVE-2013-3612 [HIGH] GHSA-3c7g-8x9w-wjqp: Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote at
Dahua DVR appliances have a hardcoded password for (1) the root account and (2) an unspecified "backdoor" account, which makes it easier for remote attackers to obtain administrative access via authorization requests involving (a) ActiveX, (b) a standalone client, or (c) unknown other vectors.
GHSA
GHSA-hprw-r36q-86cc: The authorization implementation on Dahua DVR appliances accepts a hash string representing the current date for the role of a master password, which
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-5754 [CRITICAL] GHSA-hprw-r36q-86cc: The authorization implementation on Dahua DVR appliances accepts a hash string representing the current date for the role of a master password, which
The authorization implementation on Dahua DVR appliances accepts a hash string representing the current date for the role of a master password, which makes it easier for remote attackers to obtain administrative access and change the administrator password via requests involving (1) ActiveX, (2) a standalone client, or (3) unspecified other vectors, a different vulnerability than CVE-2013-3612.
No detection rules found.
No writeups or analysis indexed.
2013-09-17
Published