The flaws, uncovered by a researcher going by the name of someLuser, affect the Ray Sharp DVD platform, as well as rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos and J2000. These DVRs are often used for closed-circuit TV (CCTV) systems and security cameras.
someLuser's blog post includes a script for obtaining the clear-text passwords as well as a standalone exploit that yields a remote root shell on any vulnerable device. Security firm Rapid7 also found that the vulnerabilities allow for unauthenticated access to the device configuration, which includes the clear-text usernames and passwords that, once obtained, can be used to execute arbitrary system commands root through a secondary flaw in the web interface.
Hackers making use of an exploit could not only gain access to what the camera sees, but also remotely control it, including pausing, rewinding and fast-forwarding the feed, or turning it off entirely (helpful for robbers, say, or international espionage rings).
“These types of flaws are common in embedded appliances, but the impact is limited by firewalls and other forms of network access control,” said CTO and founder of Metasploit, HD Moore, in the blog post. “A vulnerable DVR that is protected by the corporate firewall is not much of a risk for most organizations. In this case, however, the situation is substantially worse.”
The Ray Sharp DVR platform supports the Universal Plug and Play (UPnP) protocol and automatically exposes the device to the internet if a UPnP-compatible router is responsible for network address translation (NAT) on the network. Many home and small office routers enable UPnP by default.
“This has the effect of exposing tens of thousands of vulnerable DVRs to the internet,” Moore said.