Bugtraq: [SECURITY] Lorex ECO DVR Hard coded password

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

1. ADVISORY INFORMATION

=======================

Product: Lorex ECO DVR

Vendor URL: http://ift.tt/1snDV0W

Type: Hard coded password [CWE-259]

Date found: 2016-05-04

Date published: 2016-05-30

CVE: -

2. CREDITS

==========

This vulnerability was discovered and researched by Andrew Hofmans. http://ift.tt/1U8jf3p

3. VERSIONS AFFECTED

====================

Vulnerability successfully tested on Lorex LH162400 DVR firmware (V5.2.0-20141008) using Lorex Stratus Client and Lorex ECO Stratus Android app. Vulnerability may be present on other DVRs that are able to be accessed via Lorex's Stratus Client, and Lorex ECO Stratus Android app. Affected DVRs likely include the vendors and versions listed specifically in the code.

4. INTRODUCTION

===============

LOREX provides businesses and consumers with professional-grade DIY video surveillance systems and plug and play wireless video monitoring solutions.

(from the vendor's homepage)

5. VULNERABILITY DETAILS

========================

Remote access to the device is possible using Lorex's Stratus Client which is downloadable from the vendor. User is prompted for IP, username/password, and port. DVRs are easily identified on a LAN using normal port scanning and enumeration. Default username and password is admin:000000 (from manufacturer manual). On first login admin user is prompted to change password. No matter what the password is or what it is changed to the "SuperPassword" grants admin access to the device.

The following Proof-of-Concept is found in plaintext in the [installation directory]\new-trunk\js\main.js :

function CheckPassword(){};

$(function(){

$("#btn_reboot_ok").click(function(){

var SuperPassword;

if(gDvr.nMainType == 0x52530003 || (gDvr.nMainType == 0x52530002 && gDvr.nSubType == 0x50100) || (gDvr.nMainType == 0x52530000 && gDvr.nSubType == 0x60300)){

SuperPassword = "130901";

}else{

SuperPassword = "070901";

}

if(lgCls.version == "SWANN"){

SuperPassword = "479266";

}else if(lgCls.version == "PROTECTRON"){

SuperPassword = "Ab9842";

}

if($("#reboot_input").val() == gVar.passwd || $("#reboot_input").val() == SuperPassword){

MasklayerHide();

$("#reboot_prompt").css("display","none");

CheckPassword();

}

6. RISK

=======

To successfully exploit this vulnerability an attacker must have remote access to the DVR over port 9000. Attacker can use Lorex's Stratus Client and use the hardcoded admin password for specific vendor and model.

The vulnerability allows remote attackers full administrative access to the device.

7. SOLUTION

===========

Prevent remote access to port 9000 at the firewall. Segregate DVR from normal LAN to limited access internal LAN segment / VLAN.

8. REPORT TIMELINE

==================

2016-05-04: Discovery of the vulnerability

2016-05-05: Informed applicable Vendors

2016-05-05: Submitted vulnerability to US-CERT

2016-05-05: Response from US-CERT informing similar vulnerability was previously reported which vendor ignored. No further attempts will be made.

2016-05-16: Response from Swann

2016-05-30: Advisory released

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

iQIcBAEBCAAGBQJXTIM3AAoJEMRLVTzPHmJSPokQAILGTd4y/q7iyK5w0+uaTh92

0L/FjvEPTs9D1OV82EWjskjzGUKi85R+irG5JYm2TP67km9LSDGu0+4zUPBHP+I9

CCmXgs4ZidW38lhkuauggZaBwUcaED+Ws8yUTqHeaj3q1E9X2UFKbalxbwHE0mI0

6QouLMrKGL8n/qRJfRfp6i7oAeyxrMHC2Aqsd98V5OGeC9/xCQlhMPwTxLCb/P5p

M5qQH5uaxb552KugUodwVhad+qnH4BTvs43pzEl7F9IekmPILqfRNm9I+c3IToIz

E8nRlTHJumlhkj35McWp63d5UWvHseFpK36Ej37F5fBFb5QQHSISpqzp3g1X1zTB

a4ZSGBE6sgYwfi1auw+LglC0MVDz7Opi1jsogqwHRfvEqNKE7R1yhlzMt1hjEFP3

6MqhVS9itr1VjuuS00tjBIEAZ3bJ1r7YF/nUmlzq9NdoD9AEkIOC6+ahybURmJDv

UN1d1t+koHtouVISzWzcRmQw3zID1HxEg55uPnmxuz0Q0fuYUdHAVq7kzMJXJwX5

FpUhYePnYfXO8C3dUnxfHEhb3Fp4q03f0Kvb/6oI2VO3RoX178dApLXaMOi9Dihv

jLwrJOHNfPcn4Q2DnHVoADfQjEQGdt2a4ukvF1EOw/A20ACE1wjEnRG3mGj3NFFR

zUhFAVtD+uJ2gPlOCiip

=NH0s

-----END PGP SIGNATURE-----

[ reply ]


from SecurityFocus Vulnerabilities http://ift.tt/1THsTdA