exploit the possibilities

Aver EVC300 Firmware 00.10.16.36 Hardcoded Secrets

Aver EVC300 Firmware 00.10.16.36 Hardcoded Secrets
Posted Dec 21, 2021
Authored by protostsu

Aver EVC300 firmware version 00.10.16.36 suffers from having multiple hard-coded secrets that can allow for access bypass.

tags | exploit, bypass
MD5 | 4f3d0c93b72d721fb2b7ee87138144c7

Aver EVC300 Firmware 00.10.16.36 Hardcoded Secrets

Change Mirror Download
Firmware for Aver EVC300 (multipoint video conferencing system) v00.10.16.36 and others (as well as firmware for several other devices manufactured by Aver, potentially all multipoint video conferencing systems) contains multiple advanced features that are not well documented:

1. The web admin server continues to run even if the web administration is disabled. Check for whether access is local to the device or remote is done in Javascript using specific cookie.
By setting the cookie as follows during page load:

document.cookie="VnsSuperPassword=#qC9,kD:;CupSuperPassword=fu.1u3wk4;"
it is possible to bypass the remote access restrictions, and use "local" UI.

2. Once the "access restrictions" are bypassed, it is possible to enable normal remote access. It is also possible to reset admin password by setting
a Javascript variable in adminPwd.js (variable name j in the version we had available) to 1 using JS debugging. This disables security check asking to enter prior password.
This feature is obviously an educational tool to acquaint children with browser debug console.

3. URL <EVC300 IP>/monitor/monitor.jpg is accessible regardless of authentication status, and shows low resolution image of monitor the device is connected to, or camera, depending on device status.
Older versions of firmware used URL "rimg/monitor.jpg"

4. Device has ssh daemon (dropbear, others on other devices) listening on ports 1587,1588 and 1589.
It also has a hardcoded account avermediainfo with password avi2008 that has root privileges on the device.

1587/tcp open ssh syn-ack ttl 63 Dropbear sshd 2013.60 (protocol 2.0)
1588/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)
1589/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)

5. By accessing device over ssh, one can read the file /mnt/others/var/Olympus/Athena.ini, where administrator password is stored in clear text ("1234" is default password):
Password="*****"
PPPoEPassword="aver"
SIPTerminalPassword=""
SIPServerPasswordOn=Y
SIPServerPassword="1234"
IwbPw="1234"
AccessCode="1234"
RegGatekeeperPwd=""
This is very convenient in case one forgot administrator password and does not want to bother with JS console.

6. As of the time of writing this, the above features can be enjoyed at the site vcdemo.aver.com (61.219.195.10), as well as several other IP addresses in the same range, such as 61.219.195.23.
Additional edutainment endpoints can be found by using Nmap, or, for example, by using censys.io to search HTML title (services.http.response.html_title="Video Conference"), and then checking resulting IP addresses.


Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close