Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SerVision HVG - Hardcoded password

From: Richard Tafoya <richroc17 () gmail com>
Date: Sat, 6 Feb 2016 08:16:57 -0700
Hello...

Over a year ago I disclosed several vulnerabilities in Servision HVG network video recording devices. CVE-2015-0929 and 
CVE-2015-0930.
https://www.kb.cert.org/vuls/id/522460

Since it's been a while now, and hardcoded backdoor passwords in "security" devices are the current hotness...

Hardcoded Backdoor Password: A hardcoded backdoor password has been discovered in SerVision HVG firmware below version 
2.2.26a100.
An unauthenticated user may visit the servision Web GUI Login (http://<Servision_IP>:port/) and utilize the password 
"Bantham" (without the quotes) with a blank username (or any username) to log into the Web GUI with "admin" like 
rights. This user account can then perform actions such as deleting all of the recorded video or making a settings 
change that would essentially tell the device to wait up to 11 days after startup to turn on the network interface 
(effective DoS for video recording), additionally you can view the user list and their passwords in cleartext (view 
source on the user list page.)
How it was discovered: The firmware tvx file was viewed via a hex editor and all hex characters were converted to 
ASCII. All 5-10 character ASCII strings from the firmware file were pulled out and used in a password brute force 
attack against the usernames “Administrator, Admin, and root” on the servision test device. This password worked on all 
three accounts, even though the “admin” account had a different password set and the other two users did not even exist 
on the device. I attempted to login with this password and a blank username and that also allowed access into the 
device.
How to find servisions on the internet: 
Default http Port = 10000 or 9988 
The "Server:" header in an HTTP GET response from the device will have a value similar to the below examples.
Examples: 
Server:2.2.23a65/8848(2.1) Server:2.2.23a65/8848(2.2) Server:2.2.23a65/8847(2.1) Server:2.2.23a65/8847(2.2)



Regards,
Rich

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: