[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Aver EVC300 and others

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Aver EVC300 and others
From: protostsu via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Mon, 20 Dec 2021 05:33:50 +0000

Firmware for Aver EVC300 (multipoint video conferencing system) v00.10.16.36 
and others (as well as firmware for several other devices manufactured by Aver, 
potentially all multipoint video conferencing systems) contains multiple 
advanced features that are not well documented:

1. The web admin server continues to run even if the web administration is 
disabled. Check for whether access is local to the device or remote is done in 
Javascript using specific cookie.
By setting the cookie as follows during page load:

document.cookie="VnsSuperPassword=#qC9,kD:;CupSuperPassword=fu.1u3wk4;"
it is possible to bypass the remote access restrictions, and use "local" UI.

2. Once the "access restrictions" are bypassed, it is possible to enable normal 
remote access. It is also possible to reset admin password by setting
a Javascript variable in adminPwd.js (variable name j in the version we had 
available) to 1 using JS debugging. This disables security check asking to 
enter prior password.
This feature is obviously an educational tool to acquaint children with browser 
debug console.

3. URL <EVC300 IP>/monitor/monitor.jpg is accessible regardless of 
authentication status, and shows low resolution image of monitor the device is 
connected to, or camera, depending on device status.
Older versions of firmware used URL "rimg/monitor.jpg"

4. Device has ssh daemon (dropbear, others on other devices) listening on ports 
1587,1588 and 1589.
It also has a hardcoded account avermediainfo with password avi2008 that has 
root privileges on the device.

1587/tcp open ssh syn-ack ttl 63 Dropbear sshd 2013.60 (protocol 2.0)
1588/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)
1589/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)

5. By accessing device over ssh, one can read the file 
/mnt/others/var/Olympus/Athena.ini, where administrator password is stored in 
clear text ("1234" is default password):
Password="*****"
PPPoEPassword="aver"
SIPTerminalPassword=""
SIPServerPasswordOn=Y
SIPServerPassword="1234"
IwbPw="1234"
AccessCode="1234"
RegGatekeeperPwd=""
This is very convenient in case one forgot administrator password and does not 
want to bother with JS console.

6. As of the time of writing this, the above features can be enjoyed at the 
site vcdemo.aver.com (61.219.195.10), as well as several other IP addresses in 
the same range, such as 61.219.195.23.
Additional edutainment endpoints can be found by using Nmap, or, for example, 
by using censys.io to search HTML title 
(services.http.response.html_title="Video Conference"), and then checking 
resulting IP addresses.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Backdoor.Win32.Mellpon.b / Remote Unauthenticated Information Disclosure
Previous by thread: [FD] Backdoor.Win32.Mellpon.b / Remote Unauthenticated Information Disclosure
Index(es):
- Date
- Thread