[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Aver EVC300 and others
From: protostsu via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2021-12-20 5:33:50
Message-ID: paEM6Kdhwzr7UEonjcg7e-pqOUxkuwN2v8imrsNaoVAZ9L5P7JXXRmu65HV6EEmIJC134Aa6Y70MTBq-kFaqsISrz2YJINJcLaB-rA9rxI8= () protonmail ! com
[Download RAW message or body]
Firmware for Aver EVC300 (multipoint video conferencing system) v00.10.16.36 and others (as \
well as firmware for several other devices manufactured by Aver, potentially all multipoint \
video conferencing systems) contains multiple advanced features that are not well documented:
1. The web admin server continues to run even if the web administration is disabled. Check for \
whether access is local to the device or remote is done in Javascript using specific cookie. By \
setting the cookie as follows during page load:
document.cookie="VnsSuperPassword=#qC9,kD:;CupSuperPassword=fu.1u3wk4;"
it is possible to bypass the remote access restrictions, and use "local" UI.
2. Once the "access restrictions" are bypassed, it is possible to enable normal remote access. \
It is also possible to reset admin password by setting a Javascript variable in adminPwd.js \
(variable name j in the version we had available) to 1 using JS debugging. This disables \
security check asking to enter prior password. This feature is obviously an educational tool to \
acquaint children with browser debug console.
3. URL <EVC300 IP>/monitor/monitor.jpg is accessible regardless of authentication status, and \
shows low resolution image of monitor the device is connected to, or camera, depending on \
device status. Older versions of firmware used URL "rimg/monitor.jpg"
4. Device has ssh daemon (dropbear, others on other devices) listening on ports 1587,1588 and \
1589. It also has a hardcoded account avermediainfo with password avi2008 that has root \
privileges on the device.
1587/tcp open ssh syn-ack ttl 63 Dropbear sshd 2013.60 (protocol 2.0)
1588/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)
1589/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)
5. By accessing device over ssh, one can read the file /mnt/others/var/Olympus/Athena.ini, \
where administrator password is stored in clear text ("1234" is default password): \
Password="*****" PPPoEPassword="aver"
SIPTerminalPassword=""
SIPServerPasswordOn=Y
SIPServerPassword="1234"
IwbPw="1234"
AccessCode="1234"
RegGatekeeperPwd=""
This is very convenient in case one forgot administrator password and does not want to bother \
with JS console.
6. As of the time of writing this, the above features can be enjoyed at the site \
vcdemo.aver.com (61.219.195.10), as well as several other IP addresses in the same range, such \
as 61.219.195.23. Additional edutainment endpoints can be found by using Nmap, or, for example, \
by using censys.io to search HTML title (services.http.response.html_title="Video Conference"), \
and then checking resulting IP addresses.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic