Lorex ECO DVR Backdoor Account

2016-05-30T00:00:00
ID PACKETSTORM:137249
Type packetstorm
Reporter Andrew Hofmans
Modified 2016-05-30T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
1. ADVISORY INFORMATION  
=======================  
Product: Lorex ECO DVR  
Vendor URL: https://www.lorextechnology.com/  
Type: Hard coded password [CWE-259]  
Date found: 2016-05-04  
Date published: 2016-05-30  
CVE: -  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Andrew Hofmans. https://www.andrewhofmans.com  
  
3. VERSIONS AFFECTED  
====================  
Vulnerability successfully tested on Lorex LH162400 DVR firmware (V5.2.0-20141008) using Lorex Stratus Client and Lorex ECO Stratus Android app. Vulnerability may be present on other DVRs that are able to be accessed via Lorex's Stratus Client, and Lorex ECO Stratus Android app. Affected DVRs likely include the vendors and versions listed specifically in the code.  
  
4. INTRODUCTION  
===============  
LOREX provides businesses and consumers with professional-grade DIY video surveillance systems and plug and play wireless video monitoring solutions.  
  
(from the vendor's homepage)  
  
5. VULNERABILITY DETAILS  
========================  
Remote access to the device is possible using Lorex's Stratus Client which is downloadable from the vendor. User is prompted for IP, username/password, and port. DVRs are easily identified on a LAN using normal port scanning and enumeration. Default username and password is admin:000000 (from manufacturer manual). On first login admin user is prompted to change password. No matter what the password is or what it is changed to the "SuperPassword" grants admin access to the device.   
  
The following Proof-of-Concept is found in plaintext in the [installation directory]\new-trunk\js\main.js :  
  
function CheckPassword(){};  
$(function(){  
$("#btn_reboot_ok").click(function(){  
var SuperPassword;  
if(gDvr.nMainType == 0x52530003 || (gDvr.nMainType == 0x52530002 && gDvr.nSubType == 0x50100) || (gDvr.nMainType == 0x52530000 && gDvr.nSubType == 0x60300)){  
SuperPassword = "130901";  
}else{  
SuperPassword = "070901";  
}  
if(lgCls.version == "SWANN"){  
SuperPassword = "479266";  
}else if(lgCls.version == "PROTECTRON"){  
SuperPassword = "Ab9842";  
}  
if($("#reboot_input").val() == gVar.passwd || $("#reboot_input").val() == SuperPassword){  
MasklayerHide();  
$("#reboot_prompt").css("display","none");  
CheckPassword();  
}  
  
6. RISK  
=======  
To successfully exploit this vulnerability an attacker must have remote access to the DVR over port 9000. Attacker can use Lorex's Stratus Client and use the hardcoded admin password for specific vendor and model.  
  
The vulnerability allows remote attackers full administrative access to the device.  
  
7. SOLUTION  
===========  
Prevent remote access to port 9000 at the firewall. Segregate DVR from normal LAN to limited access internal LAN segment / VLAN.  
  
8. REPORT TIMELINE  
==================  
2016-05-04: Discovery of the vulnerability  
2016-05-05: Informed applicable Vendors  
2016-05-05: Submitted vulnerability to US-CERT  
2016-05-05: Response from US-CERT informing similar vulnerability was previously reported which vendor ignored. No further attempts will be made.  
2016-05-16: Response from Swann  
2016-05-30: Advisory released  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQIcBAEBCAAGBQJXTIM3AAoJEMRLVTzPHmJSPokQAILGTd4y/q7iyK5w0+uaTh92  
0L/FjvEPTs9D1OV82EWjskjzGUKi85R+irG5JYm2TP67km9LSDGu0+4zUPBHP+I9  
CCmXgs4ZidW38lhkuauggZaBwUcaED+Ws8yUTqHeaj3q1E9X2UFKbalxbwHE0mI0  
6QouLMrKGL8n/qRJfRfp6i7oAeyxrMHC2Aqsd98V5OGeC9/xCQlhMPwTxLCb/P5p  
M5qQH5uaxb552KugUodwVhad+qnH4BTvs43pzEl7F9IekmPILqfRNm9I+c3IToIz  
E8nRlTHJumlhkj35McWp63d5UWvHseFpK36Ej37F5fBFb5QQHSISpqzp3g1X1zTB  
a4ZSGBE6sgYwfi1auw+LglC0MVDz7Opi1jsogqwHRfvEqNKE7R1yhlzMt1hjEFP3  
6MqhVS9itr1VjuuS00tjBIEAZ3bJ1r7YF/nUmlzq9NdoD9AEkIOC6+ahybURmJDv  
UN1d1t+koHtouVISzWzcRmQw3zID1HxEg55uPnmxuz0Q0fuYUdHAVq7kzMJXJwX5  
FpUhYePnYfXO8C3dUnxfHEhb3Fp4q03f0Kvb/6oI2VO3RoX178dApLXaMOi9Dihv  
jLwrJOHNfPcn4Q2DnHVoADfQjEQGdt2a4ukvF1EOw/A20ACE1wjEnRG3mGj3NFFR  
zUhFAVtD+uJ2gPlOCiip  
=NH0s  
-----END PGP SIGNATURE-----  
`