CVE-2013-4977
published 2014-03-03CVE-2013-4977: Buffer overflow in the RTSP Packet Handler in Hikvision DS-2CD7153-E IP camera with firmware 4.1.0 b130111 (Jan 2013), and possibly other devices, allows…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.70%
96.6th percentile
Buffer overflow in the RTSP Packet Handler in Hikvision DS-2CD7153-E IP camera with firmware 4.1.0 b130111 (Jan 2013), and possibly other devices, allows remote attackers to cause a denial of service (device crash and reboot) and possibly execute arbitrary code via a long string in the Range header field in an RTSP transaction.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hikvision | ds-2cd7153-e_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPLAY rtsp://<HOST>/ RTSP/1.0\r\nCSeq: 7\r\nRange: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS\r\nUser-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n↗
- →Detect CVE-2013-4977 exploitation by monitoring RTSP traffic on TCP/554 for an oversized Range header containing the pattern 'npt=Aa0Aa1Aa2...' (cyclic buffer-overflow pattern) in a PLAY request. ↗
- →Detect CVE-2013-4976 authentication bypass by monitoring HTTP requests carrying a cookie named 'userInfo<port>' with the base64 value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw==' (anonymous user with hardcoded password). ↗
- →Detect CVE-2013-4975 credential harvesting by monitoring HTTP GET requests to the path '/PSIA/System/ConfigurationData' on Hikvision camera web interfaces. ↗
- →Detect CVE-2013-4977 exploitation by monitoring RTSP PLAY requests with an abnormally long Range header field; the exploit uses User-Agent 'VLC media player (LIVE555 Streaming Media v2010.02.10)'. ↗
- →Proxy or firewall rules should filter the 'Range' parameter in RTSP requests to mitigate exploitation of the buffer overflow in the RTSP Packet Handler. ↗
- ·The hardcoded anonymous credentials (user: 'anonymous', password: '\177\177\177\177\177\177') are embedded in the camera firmware and cannot be changed; the bypass works even when the anonymous account is explicitly disabled in the UI. ↗
- ·No authentication is required to exploit the RTSP buffer overflow (CVE-2013-4977); exploitation causes a full device restart via the Watchdog service. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP LoadRunner - lrFileIOService ActiveX WriteFileString Remote Code Execution (Metasploit)
exploitdb·2013-09-04
CVE-2013-4798 HP LoadRunner - lrFileIOService ActiveX WriteFileString Remote Code Execution (Metasploit)
HP LoadRunner - lrFileIOService ActiveX WriteFileString Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:os_ver => OperatingSystems::WindowsVersions::XP,
:rank => NormalRanking,
:classid => "{8D9E2CC7-D94B-4977-8510-FB49C361A139}",
:method => "WriteFileString "
})
def initialize(info={})
super(update_info(info,
'Name' => "HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Ex
Exploit-DB
HP LoadRunner - lrFileIOService ActiveX Remote Code Execution (Metasploit)
exploitdb·2013-08-29
CVE-2013-2370 HP LoadRunner - lrFileIOService ActiveX Remote Code Execution (Metasploit)
HP LoadRunner - lrFileIOService ActiveX Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => Rank,
:classid => "{8D9E2CC7-D94B-4977-8510-FB49C361A139}",
:method => "WriteFileBinary"
})
def initialize(info={})
super(update_info(info,
'Name' => "HP LoadRunner lrFileIOService ActiveX Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability on the lrFileIOService A
Exploit-DB
Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities
exploitdb·2013-08-07·CVSS 8.8
CVE-2013-4977 [HIGH] Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities
Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Hikvision IP Cameras Multiple Vulnerabilities
1. *Advisory Information*
Title: Hikvision IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0708
Advisory URL:
http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities
Date published: 2013-08-06
Date of last update: 2013-08-06
Vendors contacted: Hikvision
Release mode: User release
2. *Vulnerability Information*
Class: Input validation error [CWE-20], Use of Hard-coded Credentials
[CWE-798], Buffer overflow [CWE-119]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-4975, CVE-2013-4976, CVE-2013-4977
3. *Vu
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2013-08/0046.htmlhttp://packetstormsecurity.com/files/122718/Hikvision-IP-Cameras-Overflow-Bypass-Privilege-Escalation.htmlhttp://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilitieshttp://www.securityfocus.com/bid/61642https://exchange.xforce.ibmcloud.com/vulnerabilities/86292http://archives.neohapsis.com/archives/bugtraq/2013-08/0046.htmlhttp://packetstormsecurity.com/files/122718/Hikvision-IP-Cameras-Overflow-Bypass-Privilege-Escalation.htmlhttp://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilitieshttp://www.securityfocus.com/bid/61642https://exchange.xforce.ibmcloud.com/vulnerabilities/86292
2014-03-03
Published