Intro
This article covers the two CVE’s we found during our thesis work earlier this year. The devices concerned are two D-Link IP cameras. In the table below you can see the names and models and respectively their hardware and software versions.
| Manufacturer | Model | Software Version | Hardware Version |
| D-Link | DCS-5000L | 1.05 | A |
| D-Link | DCS-932L | 2.17 | B |
The setup
Our testing setup was pretty simple. In this scenario we connected the two cameras, a client running MacOS and evil client running Linux to a router. For an exact setup see Figure 1.
Affected
- http://CAMERA_IP:80 (CVE-2021-41504)
- http://CAMERA_IP/video.cgi (CVE-2021-41503)
Reproducibility
This section contains the step necessary to reproduce the attacks for both CVEs. Steps 1 to 5 apply for both CVEs. The differences will be tagged with the CVE numbers.
1. The attacking machine is set up to spoof the connection between the user’s machine and the camera. To set up the spoofing use the commands below.
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ arpspoof -i eth0 -t 192.168.0.101 -r 192.168.0.103
$ arpspoof -i eth0 -t 192.168.0.101 -r 192.168.0.100
2. Set up Wireshark to sniff the traffic on eth0
3. If the user is already logged in, a deauthentication attack can be used to log the user out.
4. Log in as the user while using the affected link in the affected section. Look for the GET requests.
5. Examine the traffic and filter it to see the HTTP packets.
CVE-2021-41503 :
6. Credentials can be seen in plain text. The area marked in red shows the credentials and the request. Please see Figure 2
As seen in Figure 2 the attacker can intercept the credentials in clear text and use them to view the video feed. There is another alternative to exploit this vulnerability. This alternative is described in the paragraph below.
Because the authentication is a “Basic” authentication, tools such a Hydra or Burp Suite can be used to brute-force the username and password combination. After some research we noticed that D-Link uses the same username for both cameras (“admin”). The commands and the result can be seen below.
General Command:
hydra -l username -P password_file.txt -s port -f ip_address request_method /path Specific Command:
hydra -l admin -P 'pass.txt' -s 80 -f 192.168.0.103 http-get /video.cgi The result of the attack can be seen in Figure 3.
CVE-2021-41503 :
6. We can see the “Digest Authentication” marked in red in Figure 4.
We used Burp Suite Community edition to intercept a login request with demo credentials and just replace all arguments from the digest authentication with the ones we captured with Wireshark. That allowed us to login as the user “admin”. After authentication we can add guests users which can view the video feed whenever they want.
Result
In the end both attacks allowed us to do several things. First it allowed us to view the video feed. Second it allowed us to add guest users which in turn can view the feed whenever they want, which was our initial goal.
Links
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41503
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247