Samsung NVR Recorder SRN-1670D is a high performance network video recorder. An arbitrary file upload vulnerability was found in the Web Viewer component, which could allow an authenticated user to upload a PHP payload to get code execution.
Recent assessments:
jvazquez-r7 at September 12, 2019 6:07pm UTC reported:
The vulnerable code can be found in network_ssl_upload.php:
22 $path = "./upload/";
23 $file = $_FILES[ "attachFile" ];
24 $isApply = ( int )$_POST[ "is_apply" ];
25 $isInstall = ( int )$_POST[ "isInstall" ];
26 $isCertFlag = ( int )$_POST[ "isCertFlag" ];
27
28 // create socket
29 $N_message = "";
30 $sock = mySocket_create($_is_unix_socket);
31 $connected = mySocket_connect($_is_unix_socket, $sock);
32
33 $loginInfo = new loginInfo();
34 $retLogin = loginManager( $connected, $sock, null, $loginInfo );
35 if ( ( $retLogin == true ) && ( $isApply == 2 || $isApply == 3 ) ) {
36 if ($connected) {
37 $id = $loginInfo->get_id();
38 $xmlFile = $id.'_config.xml';
39 $N_message = "dummy".nvr_command::DELIM;
40 $N_message .= "userid ".$id.nvr_command::DELIM;
41
42 if ( $isInstall == 1 ) {
43 // File upload ===============================================================
44 if ( $file[ "error" ] 0 ) {
45 $Error = "Error: ".$file[ "error" ];
46 } else {
47 $retFile = @copy( $file[ "tmp_name" ], $path.$file[ "name" ] );
48 }
49 // ===========================================================================
50 }
To avoid the need of authentication, the exploit also takes advantage of another vulnerability
(CVE-2015-8279) in the log exporting function to read an arbitrary file from the remote machine
in order to obtain credentials that can be used for the attack.
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0