CVE-2017-7925
published 2017-05-06CVE-2017-7925: A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX…
PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
52.06%
98.8th percentile
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.
Detection & IOCsextracted from sources · hover to see the quote
yara↗
contains(to_lower(body), "ugm") AND contains(to_lower(body), "id:name:passwd") AND status_code == 200
- →Send an unauthenticated HTTP GET request to /current_config/passwd on the target device. A vulnerable response will return HTTP 200 and a body containing the strings 'ugm' and 'id:name:passwd', indicating plaintext or weakly encoded credentials are exposed. ↗
- →Extract credentials from the response body using the regex pattern '1:(.*:.*):1:CtrPanel' to capture privileged user password entries from the configuration file. ↗
- →Use Shodan or FOFA to identify exposed Dahua devices via favicon hash 2019488876 as a pre-exploitation reconnaissance step. ↗
- →Successful exploitation allows a malicious user to obtain password hashes from the configuration file and use them to bypass authentication (pass-the-hash), per the companion CVE-2017-7927. ↗
- ·The vulnerability is unauthenticated and remotely exploitable with low skill level; public exploits are available, making mass exploitation highly likely. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras
cisa_ics·2017-05-04
Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras
Last RevisedMay 04, 2017
Alert CodeICSA-17-124-02
## CVSS v3 9.8
ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Dahua Technology Co., Ltd
Equipment: Digital Video Recorders and IP Cameras
Vulnerabilities: Use of Password Hash Instead of Password for Authentication, Password in Configuration File
## AFFECTED PRODUCTS
The following Dahua Technology Co., Ltd (Dahua) network cameras are affected:
- DH-IPC-HDBW23A0RN-ZS,
- DH-IPC-HDBW13A0SN,
- DH-IPC-HDW1XXX,
GHSA
GHSA-c723-9j4v-77qc: A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX
ghsa_unreviewed·2022-05-13
CVE-2017-7925 [CRITICAL] CWE-260 GHSA-c723-9j4v-77qc: A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.
No detection rules found.
Nuclei
Dahua Security - Configuration File Disclosure
nuclei·CVSS 9.8
CVE-2017-7925 [CRITICAL] Dahua Security - Configuration File Disclosure
Dahua Security - Configuration File Disclosure
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information.
Template:
id: CVE-2017-7925
info:
name: Dahua Security - Configuration File Disclosure
author: E1A,none
severity: critical
description: |
A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0S
No writeups or analysis indexed.
http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.phphttp://www.securityfocus.com/bid/98312https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.phphttp://www.securityfocus.com/bid/98312https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02
2017-05-06
Published