cbcvebase.
CVE-2013-4977
published 2014-03-03

CVE-2013-4977: Buffer overflow in the RTSP Packet Handler in Hikvision DS-2CD7153-E IP camera with firmware 4.1.0 b130111 (Jan 2013), and possibly other devices, allows…

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.70%
96.6th percentile
Buffer overflow in the RTSP Packet Handler in Hikvision DS-2CD7153-E IP camera with firmware 4.1.0 b130111 (Jan 2013), and possibly other devices, allows remote attackers to cause a denial of service (device crash and reboot) and possibly execute arbitrary code via a long string in the Range header field in an RTSP transaction.

Affected

1 ranges
VendorProductVersion rangeFixed in
hikvisionds-2cd7153-e_firmware

Detection & IOCsextracted from sources · hover to see the quote

port554
commandPLAY rtsp://<HOST>/ RTSP/1.0\r\nCSeq: 7\r\nRange: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS\r\nUser-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n
cookieuserInfo80=YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==
urlhttp://<target>/PSIA/System/ConfigurationData
  • Detect CVE-2013-4977 exploitation by monitoring RTSP traffic on TCP/554 for an oversized Range header containing the pattern 'npt=Aa0Aa1Aa2...' (cyclic buffer-overflow pattern) in a PLAY request.
  • Detect CVE-2013-4976 authentication bypass by monitoring HTTP requests carrying a cookie named 'userInfo<port>' with the base64 value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==' (anonymous user with hardcoded password).
  • Detect CVE-2013-4975 credential harvesting by monitoring HTTP GET requests to the path '/PSIA/System/ConfigurationData' on Hikvision camera web interfaces.
  • Detect CVE-2013-4977 exploitation by monitoring RTSP PLAY requests with an abnormally long Range header field; the exploit uses User-Agent 'VLC media player (LIVE555 Streaming Media v2010.02.10)'.
  • Proxy or firewall rules should filter the 'Range' parameter in RTSP requests to mitigate exploitation of the buffer overflow in the RTSP Packet Handler.
  • ·The hardcoded anonymous credentials (user: 'anonymous', password: '\177\177\177\177\177\177') are embedded in the camera firmware and cannot be changed; the bypass works even when the anonymous account is explicitly disabled in the UI.
  • ·No authentication is required to exploit the RTSP buffer overflow (CVE-2013-4977); exploitation causes a full device restart via the Watchdog service.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.