Hello and welcome to the Tuesday, January 14th, 2025 edition of the Sands.

And it's Stormsaurus Stormcast. My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Well, let's start out with some honeypot logs today.

We got an increase in requests for a password reset URL that's associated

with Hickvision IP cameras. Of course, Hickvision has been often attacked. This is not a new

vulnerability. First mention I found was in 2018, a blog post by Rasmid Murat's. And what Rasmus did identify

here was not just that the password reset feature didn't have a rate limit implemented,

but also that the code it used for password reset was predictable. The idea behind the feature isn't sort of that unusual and not necessarily bad,

where the user is receiving a one-time reset code that they can then use to reset their password.

Of course, that code should only be sent to an existing email

address, maybe an SMS or something like that. It should be random. It shouldn't be

prudforceable and it should be limited for a short time frame. Well, Hickvision managed to

violate most of these. Rasmussen started out with

simple prudforce idea. And that worked. There was no rate limit implemented. Apparently,

there was also no real sort of time limit implemented, which made it relatively straightforward

to prudforce the code. But in addition to proof force the code.

But in addition to that, the code itself wasn't random.

It was derived from UPNP data that actually can be retrieved without authentication.

So that made it pretty straightforward to bypass the authentication for the password reset,

which in turn then allows the attacker to reset the password for the administrator.

The lesson learned here is not so much that, well, IP cameras are vulnerable.

...