Last month, Argentinian security researcher Ezequiel Fernandez published CVE-2018-9995,
a vulnerability he discovered in dozens of brands of DVR that are all
based on the same white-label devices, TBK’s DVR4104 and DVR4216.
With CVE-2018-9995, all you need to do is hit the URL for the embedded
web-server that controls the device with this cookie header: “Cookie:
uid=admin.” The DVR then returns the root login and password in the
clear. 55,000 devices with this vulnerability have been indexed by the
Shodan search engine.
Fernandez has released a proof-of-concept exploit for the vulnerability, called getDVR_Credentials;
it’s so simple that it fits in a tweet: curl
“http://{DVR_HOST_IP}:{PORT}/device.rsp?opt=user&cmd=list” -H
“Cookie: uid=admin”
The DVRs are typically connected to home or business security cameras.
Compromising a DVR can give attackers access to live feeds from all the
cameras they’re connected to.
