cbcvebase.
CVE-2014-4880
published 2014-12-08

CVE-2014-4880: Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.08%
99.4th percentile
Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header.

Affected

1 ranges
VendorProductVersion rangeFixed in
hikvisiondvr_ds-7204_firmware

Detection & IOCsextracted from sources · hover to see the quote

port554
commandPLAY rtsp://<rhost>/ RTSP/1.0 CSeq: 7 Authorization: Basic <0x280+34 bytes overflow>
otherROP gadget: ADD SP, SP, #0x350 # LDMFD SP!, {R4-R6,PC} @ 0x002c828c
otherROP gadget: ADD R3, SP, #0x60+var_58 # BLX R6 @ 0x00446f80
otherROP gadget: BLX R3 # LDMFD SP!, {R1-R7,PC} @ 0x00456360
otherROP gadget: LDMFD SP!, {R3,PC} @ 0x0000fe98
versionHikvision DVR DS-7204 Firmware V2.2.10 build 131009
  • Detect exploit attempts by inspecting RTSP PLAY requests on TCP/554 for an oversized Authorization: Basic header (payload > 0x280+34 bytes / ~666+ bytes)
  • Alert on RTSP PLAY requests containing a CSeq value of 7 combined with an abnormally long Authorization header, as used by the public exploit
  • The exploit targets ARCH_ARMLE (ARM little-endian) Linux devices; ROP chain bytes for the DS-7204 target include the 3-byte sequence \x8c\x82\x2c (g_adjustesp 0x002c828c, packed little-endian, first 3 bytes) embedded in the Authorization header
  • Monitor for exploitation of Hikvision DVR devices (DS-7204 and similar models) on RTSP port 554; the vulnerability allows unauthenticated remote code execution via a malformed RTSP PLAY request
  • ·The Metasploit module and its ROP gadget offsets only support the DS-7204 model at firmware V2.2.10 build 131009; other models/firmware versions are vulnerable but not covered by this exploit's specific gadget addresses
  • ·These devices run ARM little-endian Linux with libupnp 1.3.1, have randomized stacks (ASLR), but no PIE on libc — ROP gadget addresses are fixed offsets within libc and will not change across reboots for the targeted firmware
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.