what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Aver EVC300 Firmware 00.10.16.36 Hardcoded Secrets

Aver EVC300 Firmware 00.10.16.36 Hardcoded Secrets
Posted Dec 21, 2021
Authored by protostsu

Aver EVC300 firmware version 00.10.16.36 suffers from having multiple hard-coded secrets that can allow for access bypass.

tags | exploit, bypass
SHA-256 | 6c8b58eebefab883a476e7c0e7a31db4a47012aef0195c394bc77695927b4f87

Aver EVC300 Firmware 00.10.16.36 Hardcoded Secrets

Change Mirror Download
Firmware for Aver EVC300 (multipoint video conferencing system) v00.10.16.36 and others (as well as firmware for several other devices manufactured by Aver, potentially all multipoint video conferencing systems) contains multiple advanced features that are not well documented:

1. The web admin server continues to run even if the web administration is disabled. Check for whether access is local to the device or remote is done in Javascript using specific cookie.
By setting the cookie as follows during page load:

document.cookie="VnsSuperPassword=#qC9,kD:;CupSuperPassword=fu.1u3wk4;"
it is possible to bypass the remote access restrictions, and use "local" UI.

2. Once the "access restrictions" are bypassed, it is possible to enable normal remote access. It is also possible to reset admin password by setting
a Javascript variable in adminPwd.js (variable name j in the version we had available) to 1 using JS debugging. This disables security check asking to enter prior password.
This feature is obviously an educational tool to acquaint children with browser debug console.

3. URL <EVC300 IP>/monitor/monitor.jpg is accessible regardless of authentication status, and shows low resolution image of monitor the device is connected to, or camera, depending on device status.
Older versions of firmware used URL "rimg/monitor.jpg"

4. Device has ssh daemon (dropbear, others on other devices) listening on ports 1587,1588 and 1589.
It also has a hardcoded account avermediainfo with password avi2008 that has root privileges on the device.

1587/tcp open ssh syn-ack ttl 63 Dropbear sshd 2013.60 (protocol 2.0)
1588/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)
1589/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)

5. By accessing device over ssh, one can read the file /mnt/others/var/Olympus/Athena.ini, where administrator password is stored in clear text ("1234" is default password):
Password="*****"
PPPoEPassword="aver"
SIPTerminalPassword=""
SIPServerPasswordOn=Y
SIPServerPassword="1234"
IwbPw="1234"
AccessCode="1234"
RegGatekeeperPwd=""
This is very convenient in case one forgot administrator password and does not want to bother with JS console.

6. As of the time of writing this, the above features can be enjoyed at the site vcdemo.aver.com (61.219.195.10), as well as several other IP addresses in the same range, such as 61.219.195.23.
Additional edutainment endpoints can be found by using Nmap, or, for example, by using censys.io to search HTML title (services.http.response.html_title="Video Conference"), and then checking resulting IP addresses.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close