cbcvebase.
CVE-2013-6117
published 2014-07-11

CVE-2013-6117: Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change…

PriorityP183high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
70.71%
99.3th percentile
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Affected

5 ranges
VendorProductVersion rangeFixed in
dahuasecuritycamera_firmware
dahuasecuritydvr_firmware
dahuasecuritydvr_firmware
dahuasecuritynvr_firmware
dahuasecuritysmartpss_firmware

Detection & IOCsextracted from sources · hover to see the quote

port37777/tcp
port37778/tcp
filenamewebrec.cab
other4WzwxXxM
othersh15yfFM
other6QNMIQGe
bytes
\xa1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\xb1\x00\x00\x58\x00\x00\x00\x00
bytes
\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\xa6\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\xa4\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\x60\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  • Detect unauthenticated probes against Dahua DVR administrative service by monitoring for the 32-byte discovery packet starting with \xa1\x00 on TCP/37777, followed by the expected 8-byte DVR response \xb1\x00\x00\x58\x00\x00\x00\x00.
  • Alert on unauthenticated binary protocol commands sent to TCP/37777 — specifically packets beginning with \xa3, \xa4, \xa6, \xa8, or \x60 opcodes — which correspond to config-read and log-clear commands requiring no prior authentication.
  • Flag presence of known Dahua DVR default password hashes (4WzwxXxM for '888888', sh15yfFM for '666666', 6QNMIQGe for 'admin') in network traffic or credential stores, indicating use of default credentials on vulnerable devices.
  • Monitor for the Metasploit auxiliary module 'auxiliary/scanner/misc/dahua_dvr_auth_bypass' being loaded or executed, which automates unauthenticated credential and config extraction from Dahua DVRs.
  • Detect ActiveX instantiation of 'webrec.cab' in browser environments, which communicates over the unauthenticated binary protocol on TCP/37777.
  • ·The vulnerable administrative service runs on TCP/37777 by default but the port is configurable; scanning only the default port may miss reconfigured instances.
  • ·SMTP, NAS, and DDNS credentials are stored and transmitted in cleartext by the device, meaning credential exposure does not require decryption.
  • ·The device also listens on telnet by default with a static, publicly known root password (CVE-2013-3612), providing an additional unauthenticated access vector beyond TCP/37777.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.