While exploring my network I discovered that there was a securty vulnerability with my Lorex Technology ECO DVR. After doing more research and reaching out to the vendor and US-CERT I have finally documented and disclosed my first vulnerability report. It was a great learning experience working through the process and practicing responsible disclosure. Unfortunately with cve.mitre.org changing its coverage goals it did not get a CVE identifier. I submitted my report to Bugtraq and the original can be found here or here.
ADVISORY INFORMATION
Product: Lorex Technology ECO DVR
Vendor URL: https://www.lorextechnology.com/
Type: Hard coded password [CWE-259]
Date found: 2016-05-04
Date published: 2016-05-30
CVE: -
VERSIONS AFFECTED
I have successfully tested the vulnerability on a Lorex Technology LH162400 DVR with the most current firmware (V5.2.0-20141008). I suspect that all DVRs that can utilize Lorex Stratus Client and Lorex ECO Stratus Android app will be vulnerable. Affected DVRs likely include the vendors and versions listed specifically in the code.
INTRODUCTION
LOREX provides businesses and consumers with professional-grade DIY video surveillance systems and plug and play wireless video monitoring solutions.
(from the vendor's homepage)
VULNERABILITY DETAILS
Remote access to the device is possible using Lorex's Stratus Client which is downloadable from the vendor. User is prompted for IP, username/password, and port. DVRs are easily identified on a LAN using normal port scanning and enumeration. Default username and password is admin:000000 (from manufacturer manual). On first login admin user is prompted to change password. No matter what the password is or what it is changed to the "SuperPassword" grants admin access to the device.
The following Proof-of-Concept is found in plaintext in the \installation directory\new-trunk\js\main.js :
function CheckPassword(){};
$(function(){
$("btn_reboot_ok").click(function(){
var SuperPassword;
if(gDvr.nMainType == 0x52530003 || (gDvr.nMainType == 0x52530002 &&
gDvr.nSubType == 0x50100) || (gDvr.nMainType == 0x52530000 &&
gDvr.nSubType == 0x60300)){
SuperPassword = "130901";
}else{
SuperPassword = "070901";
}
if(lgCls.version == "SWANN"){
SuperPassword = "479266";
}
else if(lgCls.version == "PROTECTRON"){
SuperPassword = "Ab9842";
}
if($("reboot_input").val() == gVar.passwd ||
$("reboot_input").val() == SuperPassword){
MasklayerHide();
$("reboot_prompt").css("display","none");
CheckPassword();
}
RISK
To successfully exploit this vulnerability an attacker must have remote access to the DVR over port 9000. Attacker can use Lorex's Stratus Client and use the hardcoded admin password for specific vendor and model.
The vulnerability allows remote attackers full administrative access to the device.
SOLUTION
To truly fix the vulnerability a fix must come from the vendor. Updated firmware is not available and when questioned the vendor does not respond. Best fix for now is to mitigate the problem. Prevent remote access to port 9000 at the firewall. Segregate DVR from normal LAN to limited access internal LAN segment / VLAN.
REPORT TIMELINE
2016-05-04: Discovery of the vulnerability
2016-05-05: Informed applicable Vendors
2016-05-05: Submitted vulnerability to US-CERT
2016-05-05: Response from US-CERT informing similar vulnerability was previously reported which vendor ignored. No further attempts will be made.
2016-05-16: Response from Swann
2016-05-30: Advisory released