cbcvebase.
CVE-2017-7927
published 2017-05-06

CVE-2017-7927: A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX…

PriorityP180high7.3CVSS 3.0
AVNACLPRNUINSUCLILAL
ITWVulnCheck KEV
Exploited in the wild
EPSS
36.75%
98.3th percentile
A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password.

Detection & IOCsextracted from sources · hover to see the quote

port37777
url/videotalk
bytes
\xa0\x00\x00\x60\x00\x00\x00\x00\xc4\xa3\xaf\x48\x99\x56\xb6\xb4\x7e\x48\xc4\x86\x90\x98\x54\xf3\x05\x02\x00\x01\x00\x00\xa1\xaa
  • Monitor for TCP connections to port 37777 on Dahua/Amcrest devices; a 32-byte login packet beginning with \xa0\x00\x00\x60 using pre-computed MD5 hashes instead of a plaintext password is indicative of a pass-the-hash authentication bypass attempt (CVE-2017-7927).
  • After a successful hash-replay login on TCP/37777, watch for a follow-up JSON-RPC request containing the method 'magicBox.getSoftwareVersion' as a post-exploitation reconnaissance indicator.
  • The vulnerability allows authentication bypass using a captured password hash; the attack is feasible even when the user's password is only 8 characters long, so short-password accounts are especially at risk.
  • Unauthenticated HTTP requests to the /videotalk endpoint on Dahua/Amcrest cameras should be alerted on; no authentication is required and the endpoint streams live audio.
  • ·The hash-replay bypass on TCP/37777 is specifically exploitable when the target account's password is 8 characters or fewer; longer passwords were not found to be vulnerable in the Amcrest variant.
  • ·Dahua released updated firmware to address CVE-2017-7927; however, the Amcrest IP2M-841B (an OEM variant) was still found vulnerable after the original patch, indicating OEM/rebrand devices may not receive timely fixes.

CVSS provenance

nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.