Welcome to WebmasterWorld Guest from 3.234.210.89

Forum Moderators: Ocean10000

URI: ./ ./ mnt/ custom/ ProductDefinition

DVR remote code execution

     
3:15 am on Sep 8, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


Spaces added to Subject to pass muster weren't enough. So picture this:

dotdot/dotdot/mnt/custom/ProductDefinition

Not a bot or spider per se but now that I've seen hundreds of those in a week I thought I'd mention it. The URI first appeared on Aug. 30th with no UA at all, and always Apache-flagged as a 400 error because of "erroneous characters after protocol string".

The majority of the hits are singles, but some number up to five in six minutes, and getting worse. Plus multiple same-Host static addresses suggest some ISPs may be affected. To date, most addresses have been in South America.

I've blocked slashdot patterns forever, but in case you don't, you might want to start -- and check your DVR brand. Here's more info about the exploit's possible origin(s) and actual existence:

"Unidentified Scanning Activity" [isc.sans.edu...]

"HiSilicon DVR Devices - Remote Code Execution" [exploit-db.com...]
6:07 am on Sept 27, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10572
votes: 1125


Thanks for the reminder ... been doing same for some time ... and the numbers of bad URI keeps increasing. All eat sparkly 403s. :)
5:35 pm on Sept 27, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 889


<tangent>
Apache-flagged as a 400 error because of "erroneous characters after protocol string".

Oh, useful to know. My server doesn't log 400 errors (I just checked), so all I've ever known is “There was something wrong with the request” with accompanying “Sucks to be them”. While looking it up, I did notice that most 400s came in the middle of a group of 403s from the same IP, suggesting it's all attributable to another level of incompetence rather than a supplementary level of malice.

Further poking around logs reveals that a 400 response when combined with a missing UA (which of course would get them 403d otherwise) leads to a 0-byte response from the server. Interesting.

But I digress.
</tangent>