[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] SerVision HVG - Hardcoded password

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] SerVision HVG - Hardcoded password
From: Richard Tafoya <richroc17@xxxxxxxxx>
Date: Sat, 6 Feb 2016 08:16:57 -0700

Hello...

Over a year ago I disclosed several vulnerabilities in Servision HVG network 
video recording devices. CVE-2015-0929 and CVE-2015-0930.
https://www.kb.cert.org/vuls/id/522460

Since it's been a while now, and hardcoded backdoor passwords in "security" 
devices are the current hotness...

Hardcoded Backdoor Password: A hardcoded backdoor password has been discovered 
in SerVision HVG firmware below version 2.2.26a100.
An unauthenticated user may visit the servision Web GUI Login 
(http://<Servision_IP>:port/) and utilize the password "Bantham" (without the 
quotes) with a blank username (or any username) to log into the Web GUI with 
"admin" like rights. This user account can then perform actions such as 
deleting all of the recorded video or making a settings change that would 
essentially tell the device to wait up to 11 days after startup to turn on the 
network interface (effective DoS for video recording), additionally you can 
view the user list and their passwords in cleartext (view source on the user 
list page.)
How it was discovered: The firmware tvx file was viewed via a hex editor and 
all hex characters were converted to ASCII. All 5-10 character ASCII strings 
from the firmware file were pulled out and used in a password brute force 
attack against the usernames “Administrator, Admin, and root” on the servision 
test device. This password worked on all three accounts, even though the 
“admin” account had a different password set and the other two users did not 
even exist on the device. I attempted to login with this password and a blank 
username and that also allowed access into the device.
How to find servisions on the internet: 
Default http Port = 10000 or 9988 
The "Server:" header in an HTTP GET response from the device will have a value 
similar to the below examples.
Examples: 
Server:2.2.23a65/8848(2.1) Server:2.2.23a65/8848(2.2) 
Server:2.2.23a65/8847(2.1) Server:2.2.23a65/8847(2.2)



Regards,
Rich

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Multiple vulnerabilities in Open Real Estate v 1.15.1
Next by Date: [FD] Executable installers are vulnerable^WEVIL (case 25): WinRAR's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege
Previous by thread: [FD] Multiple vulnerabilities in Open Real Estate v 1.15.1
Next by thread: [FD] Executable installers are vulnerable^WEVIL (case 25): WinRAR's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege
Index(es):
- Date
- Thread