lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <062A9E9E-CEC8-40F5-B306-04232813B51C@gmail.com>
Date: Sat, 6 Feb 2016 08:16:57 -0700
From: Richard Tafoya <richroc17@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] SerVision HVG - Hardcoded password

Hello...

Over a year ago I disclosed several vulnerabilities in Servision HVG network video recording devices. CVE-2015-0929 and CVE-2015-0930.
https://www.kb.cert.org/vuls/id/522460

Since it's been a while now, and hardcoded backdoor passwords in "security" devices are the current hotness...

Hardcoded Backdoor Password: A hardcoded backdoor password has been discovered in SerVision HVG firmware below version 2.2.26a100.
An unauthenticated user may visit the servision Web GUI Login (http://<Servision_IP>:port/) and utilize the password "Bantham" (without the quotes) with a blank username (or any username) to log into the Web GUI with "admin" like rights. This user account can then perform actions such as deleting all of the recorded video or making a settings change that would essentially tell the device to wait up to 11 days after startup to turn on the network interface (effective DoS for video recording), additionally you can view the user list and their passwords in cleartext (view source on the user list page.)
How it was discovered: The firmware tvx file was viewed via a hex editor and all hex characters were converted to ASCII. All 5-10 character ASCII strings from the firmware file were pulled out and used in a password brute force attack against the usernames “Administrator, Admin, and root” on the servision test device. This password worked on all three accounts, even though the “admin” account had a different password set and the other two users did not even exist on the device. I attempted to login with this password and a blank username and that also allowed access into the device.
How to find servisions on the internet: 
Default http Port = 10000 or 9988 
The "Server:" header in an HTTP GET response from the device will have a value similar to the below examples.
Examples: 
Server:2.2.23a65/8848(2.1) Server:2.2.23a65/8848(2.2) Server:2.2.23a65/8847(2.1) Server:2.2.23a65/8847(2.2)



Regards,
Rich

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ