SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP Dahua DVR admin password reset attempt
This event is generated when a Dahua DVR, or potentially another DVR leveraging the same binary protocol, is being sent a request to change the admin password of the camera. At this time, requests sent over this protocol are unauthenticated. Impact: Attempted Administrator Privilege Gain Details: An attacker sends a command to the vulnerable DVR and since the request is unauthenticated, the DVR executes the request. In this case the request is to reset the admin password. The rule looks for the following: 0xA6000000 -> Command dword (Skip this dword) -> This dword represents the length of the user provided string to reset the admin password, therefore the length is variable as the attacker can set the password to whatever they want. 0x0A000000 -> Specifier for command (denotes password reset) Two dwords of nulls: 0x00000000 0x00000000 fast_pattern only match on the following: 0x00000000admin: It is looking for the admin user being targeted for the password reset, following the colon is the password the attacker has chosen. Ease of Attack: Simple and publicly available.
No information provided
No public information
No known false positives
Cisco Talos Intelligence Group
No rule groups
CVE-2013-3615 |
Loading description
|
CVE-2013-6117 |
Loading description
|