Vulnerabilities > CVE-2018-10734 - Information Exposure vulnerability in Kongtop products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
KONGTOP DVR devices A303, A403, D303, D305, and D403 contain a backdoor that prints the login password via a Print_Password function call in certain circumstances.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 5 | |
Hardware | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Seebug
bulletinFamily | exploit |
description | ### 前言 在康拓DVR中,存在一个Telnet后门,可以导致监控设备被控制甚至内网被渗透的风险。 下面来分析一下这个后门,没有什么技术含量。 ### 漏洞分析 后门存于在Telnetd文件中,Telnetd负责开启telnet并提供服务,在这里我们可以看到在开了Telnet服务后,对用户的连接进行了监听,如果登录的用户长时间不操作就会登录超时,然后是一系列的服务准备处理函数。 ![](https://images.seebug.org/1525923987913-w331s) 在我们启用了Telnetd服务后,也就是开启了telnet后,程序会判断启动程序是否在终端机器里面运行,如果是则进行下一步,否则就会退出,输出UNKNOW。 ![](https://images.seebug.org/1525924005147-w331s) 在通过了本机环境验证后,程序会开始提取用户的登录数据,并保存在内存中 ![](https://images.seebug.org/1525924017486-w331s) 在最后一切的前戏都准备完毕后,程序开始步入正题,进入登录操作 ![](https://images.seebug.org/1525924028861-w331s) 程序开始初始化帐号密码变量,函数sub_12880创建缓存 ![](https://images.seebug.org/1525924039682-w331s) 在返回登录用户数据之前,程序做了一个动作,那就是输出Telnet的登录密码,这里为了直观,把函数改为了Print_Password,这个函数就是这个后门的关键点了,这个函数对登录密码进行了打印,我们跟进Print_Password函数看看。 ![](https://images.seebug.org/1525924051684-w331s) 在这个函数里面有3个函数sub_11BE8、sub_126B8、sub_1276C,这三个函数不知道干嘛的,我们先跟进函数sub_11BE8看看 ![](https://images.seebug.org/1525924064883-w331s) 可以看到,这个有点像MD5的4个幻数定义的特征,再分析一下后两个函数,更加验证了这个是一个MD5算法,这里就不贴图了。 最后将密码给打印在了登录页面上 ![](https://images.seebug.org/1525924078327-w331s) 到这一步,就没有再跟下去的必要了。 ### 相关利用 经过上面的分析,现在整个过程就已经很清晰了 现在我们在搜索引擎里面搜索一下,随便找一个IP进行尝试 ![](https://images.seebug.org/1525924095357-w331s) 对搜索到的IP进行Telnet连接,然后程序会直接返回给我们一个密码,我们直接输入上面给的密码就可以直接登录了。 ![](https://images.seebug.org/1525924109500-w331s) ### 最后 这个“后门”不知是厂家故意留的,还是在调试的时候未注释掉这行代码所导致的问题。不过可以肯定的是安全风险是很严重的。 |
id | SSV:97285 |
last seen | 2018-06-26 |
modified | 2018-05-10 |
published | 2018-05-10 |
reporter | My Seebug |
source | https://www.seebug.org/vuldb/ssvid-97285 |
title | KONGTOP DVR后门分析(CVE-2018-10734) |
References
- https://github.com/hucmosin/MyBook/blob/master/fu/DVR.pdf
- https://github.com/hucmosin/MyBook/blob/master/fu/DVR.pdf
- https://github.com/hucmosin/MyBook/blob/master/KONGTOP_DVR_devices_vulnerability_report-CVE-2018-10734.pdf
- https://github.com/hucmosin/MyBook/blob/master/KONGTOP_DVR_devices_vulnerability_report-CVE-2018-10734.pdf
- https://github.com/hucmosin/Python_Small_Tool/blob/master/other/DVR_POC.py
- https://github.com/hucmosin/Python_Small_Tool/blob/master/other/DVR_POC.py