CVE-2013-4976
published 2019-12-27CVE-2013-4976: Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.11%
98.3th percentile
Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials
Detection & IOCsextracted from sources · hover to see the quote
commandPLAY rtsp://<host>/ RTSP/1.0
CSeq: 7
Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS
User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)
↗
- →Detect authentication bypass attempts by monitoring for HTTP requests containing the cookie name 'userInfo80' (or 'userInfoXX' for other ports) with the base64 value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==' corresponding to the hardcoded anonymous credentials. ↗
- →Monitor HTTP GET requests to '/PSIA/System/ConfigurationData' from non-admin accounts as an indicator of CVE-2013-4975 credential-harvesting attempts. ↗
- →Detect CVE-2013-4977 RTSP buffer overflow exploitation attempts by inspecting RTSP PLAY requests on TCP/554 for an oversized or pattern-filled 'Range: npt=' header value (e.g. containing cyclic pattern strings like 'Aa0Aa1Aa2...'). ↗
- →Monitor for HTTP requests to '/doc/pages/main.asp' without prior authenticated session establishment, which may indicate anonymous bypass exploitation. ↗
- →Flag RTSP connections using the User-Agent string 'VLC media player (LIVE555 Streaming Media v2010.02.10)' combined with an anomalous Range header on TCP/554 as a potential exploit indicator. ↗
- ·The hardcoded anonymous credentials bypass works even when the anonymous user account has been explicitly disabled in the camera's configuration, making administrative disabling of the account insufficient as a mitigation. ↗
- ·The bypass cannot be triggered via the normal login form; it requires forging the 'userInfoXX' cookie directly, meaning standard login-page monitoring will not catch exploitation attempts. ↗
- ·CVE-2013-4977 RTSP buffer overflow requires no authentication, meaning network-level access to TCP/554 alone is sufficient for exploitation. ↗
- ·The vulnerable firmware v4.1.0 b130111 is shared across a large number of Hikvision camera models beyond the DS-2CD7153-E, so the attack surface is significantly broader than a single device. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilitieshttp://www.securityfocus.com/bid/61646https://exchange.xforce.ibmcloud.com/vulnerabilities/86293http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilitieshttp://www.securityfocus.com/bid/61646https://exchange.xforce.ibmcloud.com/vulnerabilities/86293
2019-12-27
Published