URI: ./ ./ mnt/ custom/ ProductDefinition

Forum Moderators: open

Message Too Old, No Replies

URI: ./ ./ mnt/ custom/ ProductDefinition

DVR remote code execution

Pfui

3:15 am on Sep 8, 2019 (gmt 0)

Spaces added to Subject to pass muster weren't enough. So picture this:

dotdot/dotdot/mnt/custom/ProductDefinition

Not a bot or spider per se but now that I've seen hundreds of those in a week I thought I'd mention it. The URI first appeared on Aug. 30th with no UA at all, and always Apache-flagged as a 400 error because of "erroneous characters after protocol string".

The majority of the hits are singles, but some number up to five in six minutes, and getting worse. Plus multiple same-Host static addresses suggest some ISPs may be affected. To date, most addresses have been in South America.

I've blocked slashdot patterns forever, but in case you don't, you might want to start -- and check your DVR brand. Here's more info about the exploit's possible origin(s) and actual existence:

"Unidentified Scanning Activity" [isc.sans.edu...]

"HiSilicon DVR Devices - Remote Code Execution" [exploit-db.com...]

tangor

6:07 am on Sep 27, 2019 (gmt 0)

Thanks for the reminder ... been doing same for some time ... and the numbers of bad URI keeps increasing. All eat sparkly 403s. :)

lucy24

5:35 pm on Sep 27, 2019 (gmt 0)

Apache-flagged as a 400 error because of "erroneous characters after protocol string".

Oh, useful to know. My server doesn't log 400 errors (I just checked), so all I've ever known is “There was something wrong with the request” with accompanying “Sucks to be them”. While looking it up, I did notice that most 400s came in the middle of a group of 403s from the same IP, suggesting it's all attributable to another level of incompetence rather than a supplementary level of malice.

Further poking around logs reveals that a 400 response when combined with a missing UA (which of course would get them 403d otherwise) leads to a 0-byte response from the server. Interesting.

But I digress.
</tangent>