I imagine the activeX application that is used to connect to the device could be patched to just skip the login screen, but that seems like a lot of work, especially when there are much easier ways in. The first thing that I found with this lovely device is that the comms channel (9000) did not appear to do any authentication on requests made to it.Strike 1. The first item I looked at was the web application that is used to view the video streams remotely and configure the device. One of the ports that it will expose is for the web (activeX) application and the other is the actual comms channel the device uses (port 9000). Now for the real fun.looking at the device the default configuration is setup to auto-magically use the power of the dark lord satan (uPnP) to map a few ports on your router (if it supports uPnP). Telnet now works, but what fun is that when these devices don't normally expose telnet to the internet :).
Raysharp dvr serial exploit password#
This document was written by Garret Wassermann.Once the device is booted up in single user mode, the root password can be reset and the device can be rebooted. Credit Thanks to Carsten Eiram of Risk Based Security for reporting these vulnerabilities.CVSS Metrics () Group Score Vector Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal 8.5 E:POC/RL:U/RC:UR Environmental 6.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND References Vendor Information () Vendor Status Date Notified Date Updated Swann Zhuhai RaySharp Axis Communications Hanwha COP USA CWD KGuard Security Konig Electronics Lorex Corporation If you are a vendor and your product is affected. If your vendor does not have an updated firmware available at this time, you may consider the following mitigations: Restrict network access Use a firewall or similar technology to restrict access to trusted hosts, networks, and services. The Vendor List below provides more information on each manufacturer that was reported to be vulnerable. Please contact your device manufacturer for more information.
Raysharp dvr serial exploit update#
Solution Apply an update if possible Some vendors have released updated firmware to address this issue. Impact An unauthenticated remote attacker may gain root access to the device. The reporter, Risk Based Security, has provided security advisory with more information. Furthermore, it was previously reported publicly that many of these devices enable remote access via telnet or port 9000 by default. Remote attackers with knowledge of the password may gain root access to the device. According to the reporter, DVR devices based on the Zhuhai RaySharp firmware contain a hard-coded root password. The CERT/CC has not been able to confirm this information directly with Zhuhai RaySharp. Furthermore, it was that many of these devices enable remote access via telnet or port 9000 by default. 3d Physics Simulation Program on this page. Description: Use of Hard-coded Password - CVE-2015-8286 According to the reporter, DVR devices based on the Zhuhai RaySharp firmware contain a hard-coded root password. Overview Digital Video Recorders (DVRs), security cameras, and possibly other devices from multiple vendors use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password.