HBGK DVR 3.0.0 Build 20161206 Authentication Bypass

2017.10.02
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: HBGK DVR V3.0.0 build20161206 - Authentication Bypass # Date: 24-09-2017 # Vendor Homepage: http://www.hbgk.net/en/ # Exploit Author: RAT - ThiefKing # Contact: https://www.facebook.com/cctvsuperpassword # Website: http://tromcap.com # Category: webapps # Tested on: V2.3.1 build20160927, V3.0.0 build20161206 # Shodan Dork: NVR Webserver 1. Description - Any registered user can login when edit cookie userInfo 2. Proof of Concept - When login successful: DVR save cookie : userInfo + webport with value: base64 encode (user:pass) Ex: http://dvr-domain.dynns.com:85 --> When login successful (user: admin, pass: admin), DVR will save cookie: userInfo85 with value YWRtaW46YWRtaW4= (admin:admin <-- base64 decode) But Dvr not check pass with cookie. When not yet login, you add a cookie: userInfoXX (xx : web port) with value base64 encode (admin: any words). And go url: http://dvr-domain.dynns.com:XX/doc/page/main.asp. It will Authentication Bypass 3. Solution: Update to Firmware version V3.0.0 build20170925


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top