CVE-2014-4880
published 2014-12-08CVE-2014-4880: Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.08%
99.4th percentile
Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hikvision | dvr_ds-7204_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by inspecting RTSP PLAY requests on TCP/554 for an oversized Authorization: Basic header (payload > 0x280+34 bytes / ~666+ bytes) ↗
- →Alert on RTSP PLAY requests containing a CSeq value of 7 combined with an abnormally long Authorization header, as used by the public exploit ↗
- →The exploit targets ARCH_ARMLE (ARM little-endian) Linux devices; ROP chain bytes for the DS-7204 target include the 3-byte sequence \x8c\x82\x2c (g_adjustesp 0x002c828c, packed little-endian, first 3 bytes) embedded in the Authorization header ↗
- →Monitor for exploitation of Hikvision DVR devices (DS-7204 and similar models) on RTSP port 554; the vulnerability allows unauthenticated remote code execution via a malformed RTSP PLAY request ↗
- ·The Metasploit module and its ROP gadget offsets only support the DS-7204 model at firmware V2.2.10 build 131009; other models/firmware versions are vulnerable but not covered by this exploit's specific gadget addresses ↗
- ·These devices run ARM little-endian Linux with libupnp 1.3.1, have randomized stacks (ASLR), but no PIE on libc — ROP gadget addresses are fixed offsets within libc and will not change across reboots for the targeted firmware ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Hikvision DVR - RTSP Request Remote Code Execution (Metasploit)
exploitdb·2014-11-24
CVE-2014-4880 Hikvision DVR - RTSP Request Remote Code Execution (Metasploit)
Hikvision DVR - RTSP Request Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Hikvision DVR RTSP Request Remote Code Execution',
'Description' => %q{
This module exploits a buffer overflow in the RTSP request parsing
code of Hikvision DVR appliances. The Hikvision DVR devices record
video feeds of surveillance cameras and offer remote administration
and playback of recorded footage.
The vulnerability is present in several models / firmware versions
but due to the available test device this module only supports
the DS-7204 model.
},
'Author' =>
[
'Mark Schloesser ', # @repmovsb, vulnerability analysis & exploit dev
],
'Licen
Metasploit
Hikvision DVR RTSP Request Remote Code Execution
metasploit
Hikvision DVR RTSP Request Remote Code Execution
Hikvision DVR RTSP Request Remote Code Execution
This module exploits a buffer overflow in the RTSP request parsing code of Hikvision DVR appliances. The Hikvision DVR devices record video feeds of surveillance cameras and offer remote administration and playback of recorded footage. The vulnerability is present in several models / firmware versions but due to the available test device this module only supports the DS-7204 model.
No writeups or analysis indexed.
2014-12-08
Published