-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

1. ADVISORY INFORMATION
=======================
Product: Lorex ECO DVR
Vendor URL: https://www.lorextechnology.com/
Type: Hard coded password [CWE-259]
Date found: 2016-05-04
Date published: 2016-05-30
CVE: -

2. CREDITS
==========
This vulnerability was discovered and researched by Andrew Hofmans. https://www.andrewhofmans.com

3. VERSIONS AFFECTED
====================
Vulnerability successfully tested on Lorex LH162400 DVR firmware (V5.2.0-20141008) using Lorex Stratus Client and Lorex ECO Stratus Android app. Vulnerability may be present on other DVRs that are able to be accessed via Lorex's Stratus Client, and Lorex ECO Stratus Android app. Affected DVRs likely include the vendors and versions listed specifically in the code.

4. INTRODUCTION
===============
LOREX provides businesses and consumers with professional-grade DIY video surveillance systems and plug and play wireless video monitoring solutions.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
Remote access to the device is possible using Lorex's Stratus Client which is downloadable from the vendor. User is prompted for IP, username/password, and port. DVRs are easily identified on a LAN using normal port scanning and enumeration. Default username and password is admin:000000 (from manufacturer manual). On first login admin user is prompted to change password. No matter what the password is or what it is changed to the "SuperPassword" grants admin access to the device. 

The following Proof-of-Concept is found in plaintext in the [installation directory]\new-trunk\js\main.js :

function CheckPassword(){};
$(function(){
  $("#btn_reboot_ok").click(function(){
    var SuperPassword;
    if(gDvr.nMainType == 0x52530003 || (gDvr.nMainType == 0x52530002 && gDvr.nSubType == 0x50100) || (gDvr.nMainType == 0x52530000 && gDvr.nSubType == 0x60300)){
      SuperPassword = "130901";
    }else{
      SuperPassword = "070901";
    }
    if(lgCls.version == "SWANN"){
      SuperPassword = "479266";
    }else if(lgCls.version == "PROTECTRON"){
      SuperPassword = "Ab9842";
    }
    if($("#reboot_input").val() == gVar.passwd || $("#reboot_input").val() == SuperPassword){
      MasklayerHide();
      $("#reboot_prompt").css("display","none");
      CheckPassword();
    }

6. RISK
=======
To successfully exploit this vulnerability an attacker must have remote access to the DVR over port 9000. Attacker can use Lorex's Stratus Client and use the hardcoded admin password for specific vendor and model.

The vulnerability allows remote attackers full administrative access to the device.

7. SOLUTION
===========
Prevent remote access to port 9000 at the firewall. Segregate DVR from normal LAN to limited access internal LAN segment / VLAN.

8. REPORT TIMELINE
==================
2016-05-04: Discovery of the vulnerability
2016-05-05: Informed applicable Vendors
2016-05-05: Submitted vulnerability to US-CERT
2016-05-05: Response from US-CERT informing similar vulnerability was previously reported which vendor ignored. No further attempts will be made.
2016-05-16: Response from Swann
2016-05-30: Advisory released

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXTIM3AAoJEMRLVTzPHmJSPokQAILGTd4y/q7iyK5w0+uaTh92
0L/FjvEPTs9D1OV82EWjskjzGUKi85R+irG5JYm2TP67km9LSDGu0+4zUPBHP+I9
CCmXgs4ZidW38lhkuauggZaBwUcaED+Ws8yUTqHeaj3q1E9X2UFKbalxbwHE0mI0
6QouLMrKGL8n/qRJfRfp6i7oAeyxrMHC2Aqsd98V5OGeC9/xCQlhMPwTxLCb/P5p
M5qQH5uaxb552KugUodwVhad+qnH4BTvs43pzEl7F9IekmPILqfRNm9I+c3IToIz
E8nRlTHJumlhkj35McWp63d5UWvHseFpK36Ej37F5fBFb5QQHSISpqzp3g1X1zTB
a4ZSGBE6sgYwfi1auw+LglC0MVDz7Opi1jsogqwHRfvEqNKE7R1yhlzMt1hjEFP3
6MqhVS9itr1VjuuS00tjBIEAZ3bJ1r7YF/nUmlzq9NdoD9AEkIOC6+ahybURmJDv
UN1d1t+koHtouVISzWzcRmQw3zID1HxEg55uPnmxuz0Q0fuYUdHAVq7kzMJXJwX5
FpUhYePnYfXO8C3dUnxfHEhb3Fp4q03f0Kvb/6oI2VO3RoX178dApLXaMOi9Dihv
jLwrJOHNfPcn4Q2DnHVoADfQjEQGdt2a4ukvF1EOw/A20ACE1wjEnRG3mGj3NFFR
zUhFAVtD+uJ2gPlOCiip
=NH0s
-----END PGP SIGNATURE-----