CVE-2013-4975
published 2019-12-27CVE-2013-4975: Hikvision DS-2CD7153-E IP Camera has Privilege Escalation
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.33%
95.7th percentile
Hikvision DS-2CD7153-E IP Camera has Privilege Escalation
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hikvision | ds-2cd7153-e_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPLAY rtsp://<HOST>/ RTSP/1.0
CSeq: 7
Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS
User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)
↗
- →Detect CVE-2013-4975 privilege escalation by monitoring HTTP GET requests to the path /PSIA/System/ConfigurationData from non-admin authenticated sessions. ↗
- →Detect CVE-2013-4976 authentication bypass by inspecting cookies named 'userInfo<port>' (e.g. userInfo80) for the base64 value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==' corresponding to hardcoded anonymous credentials. ↗
- →Detect CVE-2013-4977 RTSP buffer overflow by monitoring RTSP PLAY requests on port 554 containing an oversized or pattern-filled 'Range: npt=' header value. ↗
- →The RTSP exploit uses a cyclic pattern in the Range header (Aa0Aa1Aa2... aLSaLSaLS) characteristic of buffer overflow offset-finding; alert on RTSP Range headers containing such patterns. ↗
- ·The privilege escalation (CVE-2013-4975) requires a valid (non-admin) user account to authenticate and retrieve the encrypted configuration data; it is not fully unauthenticated. ↗
- ·The anonymous authentication bypass (CVE-2013-4976) cannot be used directly through the login form; it requires forging a cookie and is limited in scope to the web UI, not the PSIA API. ↗
- ·The RTSP buffer overflow (CVE-2013-4977) requires no authentication and causes a process crash followed by a watchdog-triggered full restart; it may lead to remote code execution. ↗
- ·Numerous Hikvision camera models beyond the DS-2CD7153-E share the same affected firmware v4.1.0 b130111 and are likely vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilitieshttp://www.securityfocus.com/bid/61643https://exchange.xforce.ibmcloud.com/vulnerabilities/86291http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilitieshttp://www.securityfocus.com/bid/61643https://exchange.xforce.ibmcloud.com/vulnerabilities/86291
2019-12-27
Published