gistfile1.txt

CVE ID: CVE-2023-33806

Vulnerability Title: Arbitrary Code Execution on the Hikvision Interactive Tablet DS-D5B86RB/B

Description:
Insecure default configurations in Hikvision Interactive Tablet DS-D5B86RB/B Device Firmware version : V2.3.0 build220119 allow attackers to execute arbitrary commands.

VulnerabilityType:
Command Injection

Vendor of Product:
Hikvision

Affected Product Code Base:
Hikvision Interactive Tablet DS-D5B86RB/B - Device Firmware version : V2.3.0 build220119

Affected Component:
Hikvision Interactive Tablet DS-D5B86RB/B

Attack Type:
Physical/ Remote

Impact Code execution:
true

Attack Vectors:
Steps to Reproduce:

Step 1:
Open the device setting on the Hikvision Interactive Tablet TV.
Step2:
Navigate to the About section.
Step3:
Then tap multiple times on the "Device Firmware Version" and it will open the Factory Options Menu
Step4:
Then scroll down the factory menu and click on the Execute Shell option.
Step5:
Then it will show an error "Cannot find /storage/emulated/0/_MSTFactory folder". So try to create a folder named "_MSTFactory" in the "/storage/emulated/0/" directory. This can be done by different methods, simple one is access the file browser, create the directory.
Step6:
After creating the directory, create a file called "MScript.sh" inside that _MSTFactory directory. Add your reverse shell/command injection payloads inside the "MScript.sh" file.
Step7:
Then try the "Execute Shell" option again and we will get a reverse shell.

Has vendor confirmed or acknowledged the vulnerability?:
true

Discoverer:
Safvan Parakkal from Moro Hub

Reference:
http://hikvision.com