Last updated at Wed, thirty Aug 2017 22:01:05 GMT

On Jan 22, 2013, a researcher going by the proper noun someLuser detailed a number of security flaws in the Ray Sharp DVR platform. These DVRs are often used for closed-circuit Television (CCTV) systems and security cameras. In improver to Ray Sharp, the exposures seem to impact rebranded DVR products past Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Creation, and J2000. The vulnerabilities let for unauthenticated access to the device configuration, which includes the clear-text usernames and passwords that, once obtained, tin can be used to execute arbitrary system commands root through a secondary flaw in the spider web interface. someLuser's blog postal service includes a script for obtaining the clear-text passwords as well as a standalone exploit that yields a remote root beat on any vulnerable device.

In brusque - this provides remote, unauthorized access to security camera recording systems.

These types of flaws are common in embedded appliances, but the touch on is limited by firewalls and other forms of network admission control. A vulnerable DVR that is protected by the corporate firewall is not much of a risk for virtually organizations. In this case, however, the situation is substantially worse. The Ray Sharp DVR platform supports the Universal Plug and Play (UPnP) protocol and automatically exposes the device to the cyberspace if a UPnP-compatible router is responsible for network accost translation (NAT) on the network. Many home and small part routers enable UPnP by default. This has the effect of exposing tens of thousands of vulnerable DVRs to the internet. For reference, the Ray Abrupt firmware uses the "minupnp" open source implementation to perform this port mapping.

To make up one's mind the exposure level, I worked with someLuser to determine signatures for the web interface. The ii most common models could be detected with the following signatures:

  • self.location = "webclient.html"
  • <TITLE>Web Client for DVR</TITLE>

These two signatures were matched against all HTTP services within the critical.io database. This returned over 58,000 unique IPs that were running a vulnerable DVR platform. This list covered over 150 countries, with the largest portion (~19,000) located within the United states, followed past Republic of india (~6,000), and Italia (~5,700).

Interestingly enough, the beloved firmware-modern-kit package used for router tweaks also succeeds in unpacking the firmware provided past Swann. This provides an piece of cake way to obtain the raysharp_dvr ELF image without rooting the device over the serial console. This binary implements almost all of the device'southward functionality, including everything from the web server to the CD-ROM writer based on cdrecord. In addition to being a terrible architecture, this may have inadvertent licensing implications. A quick analysis of the binary points out another feature - in order to make these systems fifty-fifty more than hackable easier to access, they can automatically register their IP with a dynamic DNS service. Based on raysharp_dvr binary, the following dynamic DNS providers are supported:

  • dyndns.org
  • bliao.com
  • lorexddns.net
  • myq-run across.com
  • ltscctv.com
  • systemport.net
  • members.3322.org
  • easterndns.com
  • newddns.com
  • nightowldvr.com
  • smartcontroldns.net
  • kguard.org
  • no-ip.com
  • freedns.agape.org
  • changeip.com
  • dnsexit.com
  • ddns.com.br
  • swanndvr.com

To brand things interesting, the user-agent sent is_ "myclient one.0 caiwang213@163.com "_ and a hard-coded credential is present within the binary, which decodes every bit:

TsnNua31U1UAAJguFeQ:6731998

This hardcoded credential seems to exist related to the freedns.agape.org service, but this could non be confirmed. The hardcoded user agent, notwithstanding, has caused concern before.

To brand matters worse, the version of OpenSSL compiled into this binary is OpenSSL 0.9.8j (07 Jan 2009), a version that is over three years old and rife with security problems.

A quick review with IDA Pro identifies a number of trivial mistakes, including unbounded strcpy() calls. One item jewel that stood out is listed below:

A Metasploit module has been added that can be used to scan for vulnerable devices.

Metasploit Pro users should click on Modules and search for raysharp_dvr_passwords. The Ray Abrupt DVR Password Retriever module should be selected. For Metasploit panel uses, enter the post-obit command to select the appropriate module:

          $ sudo -s -E # msfconsole msf> utilise auxiliary/scanner/misc/raysharp_dvr_passwords

Once the module is loaded, enter the IP or IP range that y'all would like to test:

          msf  auxiliary(raysharp_dvr_passwords) > fix RHOSTS 192.168.0.0/24 msf  auxiliary(raysharp_dvr_passwords) > set THREADS 256 msf  auxiliary(raysharp_dvr_passwords) > run  [+] 192.168.0.153:9000 (user='admin' pass='1234546') mac=00-23-63-63-63-63 version=V2.i-20110716

Want to try this out for yourself? Get your free Metasploit download at present or update your existing installation, and let us know if you lot accept any further questions.