Reports

Dahua Login Bypass with CVE-2021-33044 and CVE-2021-33045

Posted on January 4, 2022January 4, 2022 by Bruce Nguyen

04
Jan

Chrome extension that uses vulnerability CVE-2021-33044 to log in to Dahua IP cameras and VTH/VTO (video intercom) devices without authentication.
For other device types (NVR/DVR/XVR, etc), there exists CVE-2021-33045 which cannot be exploited with an ordinary web browser.
These vulnerabilities are likely to be fixed in firmware released after Sept 2021.
Credit for discovering the vulnerabilities: bashis
Chrom extension by: bp2008

Installation

Download the .zip file from the releases section.

Extract the folder from this zip somewhere.
Go to chrome’s extensions page ( chrome://extensions ).
Enable the Developer mode option at the top right.
Click Load unpacked and choose the DahuaLoginBypass folder you extracted.

Usage Instructions

Go to the login page of a Dahua IP camera and click the extension’s icon ( key) to the right of your address bar. This should add a panel with a new button for you to use:

Bruce Nguyen

I'm a technology lover so I'm happy to share my knowledge with everyone.

0 0 votes

Article Rating

0 Comments

Inline Feedbacks

View all comments

Would love your thoughts, please comment.x

()

| Reply

Please Enable JavaScript in your Browser to Visit this Site.

#mdp-deblocker-js-disabled { position: fixed; top: 0; left: 0; height: 100%; width: 100%; z-index: 999999; text-align: center; background-color: #FFFFFF; color: #000000; font-size: 40px; display: flex; align-items: center; justify-content: center; }