cbcvebase.
CVE-2013-4975
published 2019-12-27

CVE-2013-4975: Hikvision DS-2CD7153-E IP Camera has Privilege Escalation

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.33%
95.7th percentile
Hikvision DS-2CD7153-E IP Camera has Privilege Escalation

Affected

1 ranges
VendorProductVersion rangeFixed in
hikvisionds-2cd7153-e_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/PSIA/System/ConfigurationData
cookieuserInfo80=YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==
path/doc/pages/main.asp
path/doc/pages/scripts/login.js
port554
commandPLAY rtsp://<HOST>/ RTSP/1.0 CSeq: 7 Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)
otheranonymous:\177\177\177\177\177\177
versionv4.1.0 b130111
  • Detect CVE-2013-4975 privilege escalation by monitoring HTTP GET requests to the path /PSIA/System/ConfigurationData from non-admin authenticated sessions.
  • Detect CVE-2013-4976 authentication bypass by inspecting cookies named 'userInfo<port>' (e.g. userInfo80) for the base64 value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==' corresponding to hardcoded anonymous credentials.
  • Detect CVE-2013-4977 RTSP buffer overflow by monitoring RTSP PLAY requests on port 554 containing an oversized or pattern-filled 'Range: npt=' header value.
  • The RTSP exploit uses a cyclic pattern in the Range header (Aa0Aa1Aa2... aLSaLSaLS) characteristic of buffer overflow offset-finding; alert on RTSP Range headers containing such patterns.
  • ·The privilege escalation (CVE-2013-4975) requires a valid (non-admin) user account to authenticate and retrieve the encrypted configuration data; it is not fully unauthenticated.
  • ·The anonymous authentication bypass (CVE-2013-4976) cannot be used directly through the login form; it requires forging a cookie and is limited in scope to the web UI, not the PSIA API.
  • ·The RTSP buffer overflow (CVE-2013-4977) requires no authentication and causes a process crash followed by a watchdog-triggered full restart; it may lead to remote code execution.
  • ·Numerous Hikvision camera models beyond the DS-2CD7153-E share the same affected firmware v4.1.0 b130111 and are likely vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.