Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Dahua DVR admin password reset attempt

Rule Explanation

This event is generated when a Dahua DVR, or potentially another DVR leveraging the same binary protocol, is being sent a request to change the admin password of the camera. At this time, requests sent over this protocol are unauthenticated. Impact: Attempted Administrator Privilege Gain Details: An attacker sends a command to the vulnerable DVR and since the request is unauthenticated, the DVR executes the request. In this case the request is to reset the admin password. The rule looks for the following: 0xA6000000 -> Command dword (Skip this dword) -> This dword represents the length of the user provided string to reset the admin password, therefore the length is variable as the attacker can set the password to whatever they want. 0x0A000000 -> Specifier for command (denotes password reset) Two dwords of nulls: 0x00000000 0x00000000 fast_pattern only match on the following: 0x00000000admin: It is looking for the admin user being targeted for the password reset, following the colon is the password the attacker has chosen. Ease of Attack: Simple and publicly available.

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

Rule Vulnerability

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2013-3615
Loading description
CVE-2013-6117
Loading description