Another LILIN DVR 0-day being used to spread Mirai
Share this

Another LILIN DVR 0-day being used to spread Mirai

Author: Yanlong Ma, Genshen Ye

Background Information

In March, we reported[1] that multiple botnets, including Chalubo, Fbot,
Moobot were using a same 0 day vulnerability to attack LILIN DVR devices, the
vendor soon fixed the vulnerability.

On August 26, 2020, our Anglerfish honeypot detected that another new LILIN
DVR/NVR 0-day paired with system default credential operxxxx:xxxxx(masked
for security concern) were used to spread Mirai sample.

On September 21, 2020, we reported the finding to the Merit LILIN contact, and
the vendor fixed the vulnerability overnight, and also provided us a firmware fix ver

Impact devices

The 360 FirmwareTotal system provides the following firmware list that are

DH032 Firmware                      
DH032 Firmware                      
DVR708 Firmware                           
DVR716 Firmware                           
DVR816 Firmware                                                                                                                                                                                                                                                                                                                                                                                                                     
NVR 404C Firmware                        
NVR 404C Firmware                        
NVR 408M Firmware                        
NVR100L 200L Rescue                         
NVR100L Firmware v1.1.56 - HTML5         
NVR100L Firmware                         
NVR100L Firmware v1.1.74 - Push Notification 
NVR100L, 200L Rescue                                                 
NVR104 Firmware                          
NVR104 Firmware                          
NVR109 Firmware                          
NVR109 Firmware                          
NVR109 Firmware                          
NVR116 Firmware                          
NVR116 Firmware                          
NVR116 Firmware                                                   
NVR1400L Firmware v1.1.56 - HTML5        
NVR1400L Firmware                        
NVR1400L Firmware v1.1.74 - Push Notification
NVR200L Firmware v1.1.56 - HTML5         
NVR200L Firmware                         
NVR200L Firmware v1.1.74 - Push Notification                                                           
NVR2400L Firmware v1.1.56 - HTML5        
NVR2400L Firmware                        
NVR2400L Firmware v1.1.74 - Push Notification
NVR3216 Firmware                    
NVR3216 Recovery                            
NVR3416 Firmware                    
NVR3416 Recovery                            
NVR3416r Firmware                   
NVR3816 Firmware                    
NVR400L 1400 2400 Rescue                    
NVR400L Firmware v1.1.56 - HTML5         
NVR400L Firmware                         
NVR400L Firmware v1.1.74 - Push Notification 
NVR400L, 1400, 2400 Rescue                  
NVR5104E Firmware                   
NVR5104E Recovery                           
NVR5208E Firmware                   
NVR5208E Recovery                           
NVR5416E Firmware                   
NVR5832 Firmware                    
NVR5832 Firmware                    
NVR5832 Recovery                            
NVR5832S Firmware                   
NVR5832S Recovery                           
VD022 Firmware                            
VD022 Firmware                            

The 360 Quake cyberspace mapping system mapped assets across the global
and discovered that there are 1049094 IP addresses of devices with Merit LILIN
DVR/NVR fingerprints (app:"LILIN_DVR") on the public network, and 6748 of
them are considered vulnerable. The vast majority of these devices are located
in Taiwan, China, as shown in the figure below.

Vulnerability Analysis

Vulnerability Type: Remote Command Execution Vulnerability
Vulnerability detail: The Web service program /opt/extra/main defines a GET /getclock interface for viewing and modifying time-dependent device
configurations. When the /opt/extra/main program is started, the command line
program /mnt/mtd/subapp/syscmd is started and the commands that need to
be executed are passed to syscmd via shared memory.

  1. When the value of the incoming parameter cmd is set, the parameter
    NTP_SERVER can be used to set the time synchronization server for the device.
  2. The GET /getclock callback function does not check the value of
    NTP_SERVER and saves the relevant fields, then it creates a
    CMDQ_SET_SYS_TIME message to be pressed into cmdQueue.
  3. The corresponding CMDQ_SET_SYS_TIME message processing function of
    cmdQueue reads the relevant fields and splices the following shell command
    into the shared memory, resulting in a remote command execution vulnerability.
/opt/extra/subapp/ntpclient -s -t -h %s > %s &", v4, "/tmp/ntp.dat"

Vulnerability Fix: In the updated firmware, we notice that before saving the
NTP_SERVER parameter, the resolve_ip() function is called to encapsulate the
inet_aton() function to check if the input is a correct IP address.
The process is as follows.

  1. For parameters in URL format, library is called for domain name
    resolving, if it success, the ip address is written into ipAddr and return True; otherwise return False.
  2. For IP addresses, write directly to ipAddr and return True.


We recommend that Merit LILIN DVR/NVR users check and update the firmware
system and set strong login credentials for the devices.

We recommend users monitor and block the urls on the IoC list.

Contact us

Readers are always welcomed to reach us on twitter, or email to netlab at 360
dot cn.

IoC list




IP        	Romania             	ASN48090            	Pptechnology Limited