Servision HVG Hardcoded Credentials

Type packetstorm
Reporter Richard Tafoya
Modified 2016-02-11T00:00:00


Over a year ago I disclosed several vulnerabilities in Servision HVG network video recording devices. CVE-2015-0929 and CVE-2015-0930.  
Since it's been a while now, and hardcoded backdoor passwords in "security" devices are the current hotness...  
Hardcoded Backdoor Password: A hardcoded backdoor password has been discovered in SerVision HVG firmware below version 2.2.26a100.  
An unauthenticated user may visit the servision Web GUI Login (http://<Servision_IP>:port/) and utilize the password "Bantham" (without the quotes) with a blank username (or any username) to log into the Web GUI with "admin" like rights. This user account can then perform actions such as deleting all of the recorded video or making a settings change that would essentially tell the device to wait up to 11 days after startup to turn on the network interface (effective DoS for video recording), additionally you can view the user list and their passwords in cleartext (view source on the user list page.)  
How it was discovered: The firmware tvx file was viewed via a hex editor and all hex characters were converted to ASCII. All 5-10 character ASCII strings from the firmware file were pulled out and used in a password brute force attack against the usernames “Administrator, Admin, and root” on the servision test device. This password worked on all three accounts, even though the “admin” account had a different password set and the other two users did not even exist on the device. I attempted to login with this password and a blank username and that also allowed access into the device.  
How to find servisions on the internet:   
Default http Port = 10000 or 9988   
The "Server:" header in an HTTP GET response from the device will have a value similar to the below examples.  
Server:2.2.23a65/8848(2.1) Server:2.2.23a65/8848(2.2) Server:2.2.23a65/8847(2.1) Server:2.2.23a65/8847(2.2)