Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2021-33045

Published: 15/09/2021 Updated: 02/12/2021
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 895
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Ipc-hum7xxx Firmware

Vulnerability Summary

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

dahuasecurity ipc-hum7xxx_firmware

dahuasecurity ipc-hx3xxx_firmware

dahuasecurity ipc-hx5xxx_firmware

dahuasecurity nvr-1xxx_firmware

dahuasecurity nvr-2xxx_firmware

dahuasecurity nvr-4xxx_firmware

dahuasecurity nvr-5xxx_firmware

dahuasecurity nvr-6xx_firmware

dahuasecurity vth-542xh_firmware

dahuasecurity vto-65xxx_firmware

dahuasecurity vto-75x95x_firmware

dahuasecurity xvr-4x04_firmware -

dahuasecurity xvr-4x08_firmware

dahuasecurity xvr-4x04_firmware

dahuasecurity xvr-5x04_firmware

dahuasecurity xvr-5x08_firmware

dahuasecurity xvr-5x16_firmware

dahuasecurity xvr-7x16_firmware

dahuasecurity xvr-7x32_firmware

Exploits

Exploit DB: Dahua Authentication Bypass
Various Dahua products suffers from multiple authentication bypass vulnerabilities ...

Github Repositories

https://github.com/naycha/TVT-config

PoC misc PoC - Internet of (In)Security Things Well worth to read about these crappy (in)security things: ipvmcom/reports/security-exploits Hikvision CVE-2021-36260 2021-10-19 All credit to Watchful_IP (watchfulipgithubio/) githubcom/mcw0/PoC/blob/master/CVE-2021-36260py Dahua CVE-2021-33044, CVE-2021-33045 2021-10-06 Details: githubcom/mcw

https://github.com/naycha/TVT-NVR-config

PoC misc PoC - Internet of (In)Security Things Well worth to read about these crappy (in)security things: ipvmcom/reports/security-exploits Hikvision CVE-2021-36260 2021-10-19 All credit to Watchful_IP (watchfulipgithubio/) githubcom/mcw0/PoC/blob/master/CVE-2021-36260py Dahua CVE-2021-33044, CVE-2021-33045 2021-10-06 Details: githubcom/mcw

https://github.com/bp2008/DahuaLoginBypass

Chrome extension that uses vulnerabilities CVE-2021-33044 and CVE-2021-33045 to log in to Dahua cameras without authentication.

DahuaLoginBypass Chrome extension that uses vulnerability CVE-2021-33044 to log in to Dahua IP cameras and VTH/VTO (video intercom) devices without authentication For other device types (NVR/DVR/XVR, etc), there exists CVE-2021-33045 which cannot be exploited with an ordinary web browser These vulnerabilities are likely to be fixed in firmware released after Sept 2021 Credit

https://github.com/naycha/NVR-CONFIG

PoC misc PoC - Internet of (In)Security Things Well worth to read about these crappy (in)security things: ipvmcom/reports/security-exploits Hikvision CVE-2021-36260 2021-10-19 All credit to Watchful_IP (watchfulipgithubio/) githubcom/mcw0/PoC/blob/master/CVE-2021-36260py Dahua CVE-2021-33044, CVE-2021-33045 2021-10-06 Details: githubcom/mcw

https://github.com/readloud/PoC

Proof of concept (PoC) - misc PoC - Internet of (In)Security Things

PoC misc PoC - Internet of (In)Security Things Well worth to read about these crappy (in)security things: security-exploits Hikvision CVE-2021-36260 2021-10-19 All credit to Watchful_IP CVE-2021-36260 Dahua CVE-2021-33044, CVE-2021-33045 2021-10-06 Details: Dahua Authentication Bypass Dahua Console PoC: 2021-09-06 Two independent authentication bypass Due to the very high pote

https://github.com/APPHIK/cam

简体中文 | English 简介 主要针对网络摄像头的漏洞扫描框架,目前已集成海康、大华、宇视、dlink等常见设备

https://github.com/Nxychx/TVT-NVR

PoC misc PoC - Internet of (In)Security Things Well worth to read about these crappy (in)security things: ipvmcom/reports/security-exploits Hikvision CVE-2021-36260 2021-10-19 All credit to Watchful_IP (watchfulipgithubio/) githubcom/mcw0/PoC/blob/master/CVE-2021-36260py Dahua CVE-2021-33044, CVE-2021-33045 2021-10-06 Details: githubcom/mcw

https://github.com/dongpohezui/cve-2021-33045

cve-2021-33045 通过修改浏览器发往/RPC2_Login的数据包登录摄像头的网页。 这里采用mitmproxy脚本实现相关功能,也可以通过Fiddler、burpsuite实现类似功能。 用法如下: mitmweb --showhost --set block_global=false -s mitmpy 然后,浏览器将mitmproxy设置为http代理。 参考链接:

https://github.com/naycha/TVT-NVR

PoC misc PoC - Internet of (In)Security Things Well worth to read about these crappy (in)security things: ipvmcom/reports/security-exploits Hikvision CVE-2021-36260 2021-10-19 All credit to Watchful_IP (watchfulipgithubio/) githubcom/mcw0/PoC/blob/master/CVE-2021-36260py Dahua CVE-2021-33044, CVE-2021-33045 2021-10-06 Details: githubcom/mcw

https://github.com/mcw0/PoC

Issues has been disabled for these PoC's, as they are simply PoC, Public Domain and unsupported.

PoC misc PoC - Internet of (In)Security Things Well worth to read about these crappy (in)security things: ipvmcom/reports/security-exploits Hikvision CVE-2021-36260 2021-10-19 All credit to Watchful_IP (watchfulipgithubio/) githubcom/mcw0/PoC/blob/master/CVE-2021-36260py Dahua CVE-2021-33044, CVE-2021-33045 2021-10-06 Details: githubcom/mcw

https://github.com/mcw0/DahuaConsole

Dahua Console, access internal debug console and/or other researched functions in Dahua devices. Feel free to contribute in this project.

Dahua Console Version: Pre-alpha Bugs: Indeed TODO: Lots of stuff [Install requirements] sudo pip3 install -r requirementstxt [Arguments] -h, --help show this help message and exit --rhost RHOST Remote Target Address (IP/FQDN) --rport RPORT Remote Target Port --proto {dhip,dvrip,3des,http,https}

https://github.com/zhanwang110/Ingram

简体中文 | English 简介 主要针对网络摄像头的漏洞扫描框架,目前已集成海康、大华、宇视、dlink等常见设备

https://github.com/APPHIK/camz

简体中文 | English 简介 主要针对网络摄像头的漏洞扫描框架,目前已集成海康、大华、宇视、dlink等常见设备

https://github.com/WhaleFell/CameraHack

批量扫描破解海康威视、大华等摄像头的常见漏洞。

CameraHack 批量扫描破解海康威视、大华等摄像头的常见漏洞、弱密码 海康威视 RTSP 弱密码 # 主码流 rtsp://admin:12345@IP:554/h264/ch1/main/av_stream rtsp://admin:12345@IP:554/MPEG-4/ch1/main/av_stream # 子码流 rtsp://admin:12345@IP/mpeg4/ch1/sub/av_stream rtsp://admin:12345@IP/h264/ch1/sub/av_stream CVE-2

https://github.com/APPHIK/ip

简介 主要针对网络摄像头的漏洞扫描框架,目前已集成海康、大华、宇视等常见设备。后期会加入更多摄像头设备和路由器设备。

https://github.com/Stealzoz/steal

简体中文 | English Introduction ======= Mainly for the vulnerability scanning framework of network cameras, it has integrated common equipment such as Hikvision, Dahua, and Uniview More camera devices and router devices will be added later

https://github.com/bp2008/Index

Categorized lists of my projects on Github.

bp2008's Project Index Below are categorized lists of links to my most interesting projects Blue Iris Integrations UI3 - A powerful, modern HTML5 web interface for Blue Iris biupdatehelper - A Windows service which archives Blue Iris update files and makes configuration backups Home Automation, Weather Sensors, etc AcuRiteSniffer - Reads weather data packets sent by

https://github.com/bnhjuy77/tomde

简体中文 | English 简介 主要针对网络摄像头的漏洞扫描框架,目前已集成海康、大华、宇视、dlink等常见设备

References

CWE-287https://www.dahuasecurity.com/support/cybersecurity/details/957http://seclists.org/fulldisclosure/2021/Oct/13http://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.htmlhttps://nvd.nist.govhttps://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.htmlhttps://github.com/bp2008/DahuaLoginBypass
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook