Multiple botnets are spreading using LILIN DVR 0-day | xxxMultiple botnets are spreading using LILIN DVR 0-day – xxx
菜单






Multiple botnets are spreading using LILIN DVR 0-day

三月 20, 2020 - 360netlab

Author:Yanlong Ma,Lingming Tu,Genshen Ye,Hongda Liu

When we talk about DDos botnet, we tend to think the typical scenario, some mediocre, code-borrowing scripts target old vulnerabilities. But things actually have started to change, we noticed more and more attackers beginning to use 0-day vulnerabilities.

Background

Starting from August 30, 2019, 360Netlab Threat Detection System has flagged multiple attack groups using LILIN DVR 0-day vulnerabilities to spread Chalubo[1], FBot[2], Moobot[3] botnets.

On January 19, 2020, we reached out to the equipment manufacturer LILIN. On February 13, 2020, the vendor fixed the vulnerability[4], and released the latest firmware program 2.0b60_20200207[5].

Vulnerability analysis

The LILIN 0-day vulnerability is made of 3 parts: hard-coded login credentials, /z/zbin/dvr_box command injection vulnerabilities and /z/zbin/net_html.cgi arbitrary file reading vulnerabilities, /z/zbin/dvr_box provides Web services, and its web interface /dvr/cmd and /cn/cmd have a command injection vulnerability. The injected parameters have been: NTPUpdate, FTP, and NTP.

List of hardcoded login credentials:

root/icatch99 report/8Jg0SR8K50

Default login credentials:

admin/123456

NTPUpdate injection vulnerability analysis

  1. /z/zbin/dvr_box The dvr_serv::do_request() function is responsible for parsing the DVRPOST incoming XML configuration and calling the corresponding processing function;
  2. dvr_core::NTPUpdate() The processing function passes the Server field into a function in the dependent library libutility.so UtilityBox::UtilityNtp::run();
  3. UtilityBox::UtilityNtp::run() The function splices and executes the ntp time synchronization command according to the value of the Server field;
  4. The above process chain does not filter special characters in the Server field, command injection becomes possible.
    In the newly patched version 2.0b60_20200207, the vendor fixed the vulnerability by calling UtilityBox::Utility::ValidateHostName() to
    checks the Server field at step 3

FTP and NTP injection vulnerability analysis

  1. Device configuration /zconf/service.xml, can be obtained through hard-coded login account password and /z/zbin/net_html.cgi arbitrary file reading [6];
  2. By modifying the Server field of the FTP or NTP parameters in the /zconf/service.xml, backdoor command can be injected;
  3. Remotely access the /dvr/cmd interface through hard-coded account passwords, then use the SetConfiguration
    function to upload the modified XML entity, now the configuration files can be written to the target device
  4. The device periodically synchronizes the FTP or NTP configuration, which triggers the command execution.

It is worth noting that the command injection for FTP or NTP configuration relies on the network configuration obtained in steps 1 and 2. If step 3 is executed directly, the device will come offline.

In the newly patched version 2.0b60_20200207, the vendor has fixed this vulnerability, /z/zbin/dvr_box now calls the UtilityBox::Utility::ValidateHostName() function to check the Server field when writing the configuration.

Timeline

2019/08/30 We discovered Chalubo was spreading through the LILIN 0-day NTPUpdate vulnerability. 2020/01/11 We discovered that FBot was spread through the LILIN 0-day FTP / NTP vulnerability. 2020/01/19 We reached out to the vendor. 2020/01/26 We discovered that Moobot was spreading through the LILIN 0-day FTP vulnerability. 2020/02/10 We reached out to the vendor again. 2020/02/12 We provided the FTP and NTP 0 day PoC details to the vendor. 2020/02/14 Vendor replied and fixed the vulnerability, and a new firmware 2.0b60_20200207 was released.

Affected firmware list

LILIN DHD516A * 2.0b1_20191202 - JPEG C4 panels * 2.0b1_20180828  - RTSP works   LILIN DHD508A * 2.0b1_20180828  - RTSP works   LILIN DHD504A * 2.0b1_20191202 - JPEG C4 panels * 2.0b1_20190417  - JPEG C4 panels   LILIN DHD316A * 2.0b1_20180828 * 2.0b1_20171128 C4 Panels   LILIN DHD308A * 2.0b1_20180828   LILIN DHD304A * 2.0b1_20180828   LILIN DHD204 IP  Camera * 1.06_20151201   LILIN DHD204A IP Camera * 2.0b60_20160223 * 2.0b60_20161123   LILIN DHD208 IP Camera * 2.0b60_20160504   LILIN DHD208A IP Camera * 2.0b60_20160223 * 2.0b60_20161123   LILIN DHD216 IP Camera * 2.0b60 20151111  LILIN DHD216A IP Camera * 2.0b60_20160223 * 2.0b60_20161123

Suggestions

LILIN users should check and update their device firmwares in a timely fashion, and strong login credentials for the device should be enforced.

The relevant malicious IPs, URLs and domains should be blocked and investigated on users’network.

Contact us

Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.

IoC list

MD5

0bf499baf3f0e623975a54225e9bd1a9 0d5193bdf74c87a14696f320d6808077 0f863f624da0d74094cb0f91cc226281 10ac26ef8571896efa3ee9495c0b71f5 164cc07fe71cd4db13133743e13612d8 20e8dd1fa2cc5e05ed2052c543f91ce1 21023609945be3f70459d30d1eec662e 267115637ef139b67007ee357c5397f6 3085b8f16c1ee686aa3bc3d1a91803f4 47e005e3136430452a0626b82f59ce15 4b87280c0b1b2b975c4f7412499400f2 502020b53b7bc053e0e3d8b85b5e7963 61a6ea1590c4f06a6966e944ebd4d81b 62d53eb2b05a3fa779ebca2d08b1d649 6a55850ea54668d98c32ffe954cd5d85 8bf81cdcfecead61b2531dcff597b133 9c9b1b98d9c7863df5905ff877767c55 a3b4868ec1671ffab6b509d62ea129ac a6142ce837fd402ab9570ab58d46ad10 aa4561de55bdbd95702342b820910e0a ad151215c9d7c02e6b75fe2e51f91f0b d72ca8cd3e0e7b9f1f5dd62ca5113c8c da3d3df2fa7d539899b27c64300807a2 e3f79edf54d590568791f77318ac0578 e95c363dc97ff58f5f22633517be6969 ee227f53a1c1e24edfa9f44c9c6a009f f76b0363f016a0d4ec6124b844e10cff feee13e2908e4e3d18104896d912fbf9 ffc20926598b277e509c7bf3465557eb

URL

http://103.27.185.139/icatchplugin1 http://185.183.96.139/g http://188.209.49.219/f http://188.209.49.244/f http://188.209.49.244/r http://188.209.49.244/usa http://190.115.18.37/f http://45.10.90.89/j http://45.10.90.89/z http://46.166.151.200/w http://74.91.115.209/w http://82.223.101.182/f http://82.223.101.182/k

C2

lakusdvroa.com:8080                   #Chalubo 45.10.90.89:61002                     #FBot wor.wordtheminer.com:8725             #Moobot nlocalhost.wordtheminer.com:422       #Moobot_xor nlocalhost.wordtheminer.com:9746      #Moobot_xor

IP

45.10.90.89          Ukraine              ASN48693             Rices Privately owned enterprise 46.166.151.200       Netherlands          ASN43350             NForce Entertainment B.V. 74.91.115.209        United States        ASN14586             Nuclearfallout Enterprises, Inc. 82.223.101.182       Spain                ASN8560              1&1 Ionos Se         103.27.185.139       Japan                ASN134835            Starry Network Limited 185.183.96.139       Netherlands          ASN60117             Host Sailor Ltd.     188.209.49.219       Netherlands          ASN49349             Dotsi, Unipessoal Lda. 188.209.49.244       Netherlands          ASN49349             Dotsi, Unipessoal Lda. 190.115.18.37        Belize               ASN262254            DANCOM LTD







Notice: Undefined variable: canUpdate in /var/www/html/wordpress/wp-content/plugins/wp-autopost-pro/wp-autopost-function.php on line 51