Denver IP Camera SHO-110 – Unauthenticated Snapshot

• Exploit Database
• 37 阅读

• 作者： Ivan Nikolsky
  日期： 2021-07-29
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50162/

• # Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot
  # Date: 28 July 2021
  # Exploit Author: Ivan Nikolsky (enty8080)
  # Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826
  # Version: Denver SHO-110 (all firmware versions)
  # Tested on: Denver SHO-110
  
  Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too.
  
  So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication.
  
  It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream.
  
  PoC:
  
  http://<host>:8001/snapshot