Created
April 11, 2024 18:55
-
-
Save s4fv4n/5a6374cf1dcad85226566eaa325a710d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE ID: CVE-2023-33806 | |
Vulnerability Title: Arbitrary Code Execution on the Hikvision Interactive Tablet DS-D5B86RB/B | |
Description: | |
Insecure default configurations in Hikvision Interactive Tablet DS-D5B86RB/B Device Firmware version : V2.3.0 build220119 allow attackers to execute arbitrary commands. | |
VulnerabilityType: | |
Command Injection | |
Vendor of Product: | |
Hikvision | |
Affected Product Code Base: | |
Hikvision Interactive Tablet DS-D5B86RB/B - Device Firmware version : V2.3.0 build220119 | |
Affected Component: | |
Hikvision Interactive Tablet DS-D5B86RB/B | |
Attack Type: | |
Physical/ Remote | |
Impact Code execution: | |
true | |
Attack Vectors: | |
Steps to Reproduce: | |
Step 1: | |
Open the device setting on the Hikvision Interactive Tablet TV. | |
Step2: | |
Navigate to the About section. | |
Step3: | |
Then tap multiple times on the "Device Firmware Version" and it will open the Factory Options Menu | |
Step4: | |
Then scroll down the factory menu and click on the Execute Shell option. | |
Step5: | |
Then it will show an error "Cannot find /storage/emulated/0/_MSTFactory folder". So try to create a folder named "_MSTFactory" in the "/storage/emulated/0/" directory. This can be done by different methods, simple one is access the file browser, create the directory. | |
Step6: | |
After creating the directory, create a file called "MScript.sh" inside that _MSTFactory directory. Add your reverse shell/command injection payloads inside the "MScript.sh" file. | |
Step7: | |
Then try the "Execute Shell" option again and we will get a reverse shell. | |
Has vendor confirmed or acknowledged the vulnerability?: | |
true | |
Discoverer: | |
Safvan Parakkal from Moro Hub | |
Reference: | |
http://hikvision.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment