Last month, Argentinian security researcher Ezequiel Fernandez published CVE-2018-9995, a vulnerability he discovered in dozens of brands of DVR that are all based on the same white-label devices, TBK's DVR4104 and DVR4216.
With CVE-2018-9995, all you need to do is hit the URL for the embedded web-server that controls the device with this cookie header: "Cookie: uid=admin." The DVR then returns the root login and password in the clear. 55,000 devices with this vulnerability have been indexed by the Shodan search engine.
Fernandez has released a proof-of-concept exploit for the vulnerability, called getDVR_Credentials; it's so simple that it fits in a tweet: curl "http://{DVR_HOST_IP}:{PORT}/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"
The DVRs are typically connected to home or business security cameras. Compromising a DVR can give attackers access to live feeds from all the cameras they're connected to.
"Usage of the PoC code can be easily identified as it uses a mock user-agent with the [mispelled] terms of 'Morzilla' and 'Pinux x86_128' instead of Mozilla and Linux x86_128," Anubhav pointed out.
"However, attackers with a basic skillset can change the script for their own usage, as the exploit is fairly straightforward to understand," Anubhav said, referring to the fact that attackers can modify the user-agent string and other constants present in the script.
Nonetheless, companies can still detect attempts to access /login.rsp or /device.rsp URL paths and block those, allowing access to the DVR's management interface only for trusted IPs.
"With the code being made public, the question is not about whether the vulnerable devices will be compromised, it is more in the lines of how soon the attackers will pick up on it," Anubhav warned.
New Hacking Tool Lets Users Access a Bunch of DVRs and Their Video Feeds [Catalin Cimpanu/Bleeping Computer]
(via /.)