Hi everyone, In a recent large scale attack against a well known blogger, one of the devices said to be used was a Digital Video Recorder. I don't actually know which model, but there is a known vulnerability in one particular brand[1]. There were essentially two forms of attack against this device: the control protocol could be hacked and they left telnet enabled. Now the control protocol is required for those devices that wish to communicate with it, but telnet is certainly not required, and there would be no need for a DVR to go after against the blogger. The device is also known to use SMTP submission.
I thought it would be interesting to show an example of a MUD file that would have limited the attack as an example. Note that it is left for the deployment to fill in the classes. For your enjoyment... Eliot [1] https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117 { "ietf-mud:meta-info": { "lastUpdate": "2016-09-30T13:41:26+02:00", "systeminfo": "Dahua DVR", "cacheValidity": 1440 }, "ietf-acl:access-lists": { "ietf-acl:access-list": [ { "acl-name": "mud-39882-v4in", "acl-type": "ipv4-acl", "ietf-mud:packet-direction": "to-device", "access-list-entries": { "ace": [ , { "rule-name": "entin0-in", "matches": { "ietf-mud:controller": "http://cameracontrollers.dahua.example.com";, "protocol": 6, "source-port-range": { "lower-port": 37777, "upper-port": 37777 } }, "actions": { "permit": [ null ] } } ] } }, { "acl-name": "mud-39882-v4out", "acl-type": "ipv4-acl", "ietf-mud:packet-direction": "from-device", "access-list-entries": { "ace": [ , { "rule-name": "entin0-in", "matches": { "ietf-mud:controller": "http://cameracontrollers.dahua.example.com";, "protocol": 6, "source-port-range": { "lower-port": 37777, "upper-port": 37777 } }, "actions": { "permit": [ null ] } } ] } } ] } }
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
