The Internet of Things is turning against us once more. Rapid 7 is reporting how HikvisionDVRs are vulnerable to at least 3 different remote code execution vulnerabilities. Metasploit modules are available to take advantage of them, a patch is not available.
All three vulnerabilities were found in the code dealing with RTSP requests. The vulnerabilities are simple buffer overflows.
Hikvision DVRs were already in the news earlier this year, when we found many of them being exploited by The Moon worm, bitcoin miners, and code scanning for Synology disk stations. Back then, the main exploit vector was the default root password of 12345 which never got changed.
At this point, device manufacturers just dont get it. The vulnerabilities found in devices like the Hikvision DVRs are reminiscent of 90s operating systems and server vulnerabilities. Note that many devices are sold under various brandnames and Hikvision may not be the only vulnerable brand.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.