Avtech devices multiple vulnerabilities

Updates to the original advisory

SEARCH-LAB published the following advisory about Avtech devices multiple vulnerabilities on 11th October 2016.

Following the publication of the advisory several actions have been made to remediate the case:

2016.10.14: AVTECH made contact with SEARCH-LAB and asked for suggestions how to mitigate the found vulnerabilities
2016.10.28: AVTECH and SEARCH-LAB signed a Non-Disclosure Agreement to clarify the conditions of further information disclosure
2016.10.28: SEARCH-LAB removed the proof-of-concept video in order to make it harder for adversaries to exploit the published vulnerabilities
2016.01.09: AVTECH released several firmware updates for the affected devices
2017.01.25: AVTECH asked SEARCH-LAB to double-check whether the fixes duly solved the reported issues
2017.03.03: SEARCH-LAB sent a detailed report to AVTECH
2017.03.21: Publication of this update. AVTECH and SEARCH-LAB are working together to improve the security of AVTECH devices.

Platforms / Firmware confirmed affected:

Every Avtech device (IP camera, NVR, DVR) and firmware version. [2] contains the list of confirmed firmware versions, which are affected.
Product page: http://www.avtech.com.tw/

“AVTECH, founded in 1996, is one of the world’s leading CCTV manufacturers. With stably increasing revenue and practical business running philosophy, AVTECH has been ranked as the largest public-listed company among the Taiwan surveillance industry. AVTECH makes every effort on the innovation of technology, product and implementation. Based on years of research and industry experience, AVTECH has obtained a leading position on mobile platform support and provides a full range of surveillance products.”

Vulnerabilities

1) Plaintext storage of administrative password

2) Missing CSRF protection

3) Unauthenticated information disclosure

4) Unauthenticated SSRF in DVR devices

5) Unauthenticated command injection in DVR devices

6) Authentication bypass #1

7) Authentication bypass #2

8) Unauthenticated file download from web root

9) Login captcha bypass #1

10) Login captcha bypass #2

11) Authenticated command injection

12) Authenticated command injection

13) Authenticated command injection

14) HTTPS used without certificate verification

Timeline

2015.10.19: First attempt to contact with Avtech, but we did not receive any response
2016.05.24: Second attempt to contact Avtech without any response
2016.05.27: Third attempt to contact Avtech by sending e-mail to public Avtech e-mail addresses. We did not receive any response.
2016.09.10: Forth attempt to contact Avtech without any response
2016.10.11: Full disclosure

Recommendations

Please consult AVTech homepage for firmware updates meanwhile you should take the following steps to protect your device:

Change the default admin password
Operate your devices behind a firewall

Credits

These vulnerabilities were discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu)

References

[1] https://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities

[2] vulnerability_matrix.txt

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">SEARCH-LAB published the following advisory about Avtech devices multiple vulnerabilities on 11th October 2016.</p>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Following the publication of the advisory several actions have been made to remediate the case:</p>

<li>2016.10.14: AVTECH made contact with SEARCH-LAB and asked for suggestions how to mitigate the found vulnerabilities</li>

<li>2016.10.28: AVTECH and SEARCH-LAB signed a Non-Disclosure Agreement to clarify the conditions of further information disclosure</li>

<li>2016.10.28: SEARCH-LAB removed the proof-of-concept video in order to make it harder for adversaries to exploit the published vulnerabilities</li>

<li>2016.01.09: AVTECH released several firmware updates for the affected devices</li>

<li>2017.01.25: AVTECH asked SEARCH-LAB to double-check whether the fixes duly solved the reported issues</li>

<li>2017.03.03: SEARCH-LAB sent a detailed report to AVTECH</li>

<li>2017.03.21: Publication of this update. AVTECH and SEARCH-LAB are working together to improve the security of AVTECH devices.</li>

</ul>

<h2 style="margin-top: 24px; margin-bottom: 16px; line-height: 1.25; padding-bottom: 0.3em; border-bottom: 1px solid #eeeeee; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#vulnerabilities" id="user-content-vulnerabilities" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>Platforms / Firmware confirmed affected:</h2>

<li>Every Avtech device (IP camera, NVR, DVR) and firmware version. [2] contains the list of confirmed firmware versions, which are affected.</li>

<li style="margin-top: 0.25em;">Product page: <a href="http://www.avtech.com.tw/" style="color: #4078c0; text-decoration: none;">http://www.avtech.com.tw/</a></li>

</ul>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">“AVTECH, founded in 1996, is one of the world’s leading CCTV manufacturers. With stably increasing revenue and practical business running philosophy, AVTECH has been ranked as the largest public-listed company among the Taiwan surveillance industry. AVTECH makes every effort on the innovation of technology, product and implementation. Based on years of research and industry experience, AVTECH has obtained a leading position on mobile platform support and provides a full range of surveillance products.”</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#1-plaintext-storage-of-administrative-password" id="user-content-1-plaintext-storage-of-administrative-password" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>1) Plaintext storage of administrative password</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Every user password is stored in clear text. An attacker with access to the device itself can easily obtain the full list of passwords. By exploiting command injection or authentication bypass issues, the clear text admin password can be retrieved.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#2-missing-csrf-protection" id="user-content-2-missing-csrf-protection" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>2) Missing CSRF protection</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">The web interface does not use any CSRF protection. If a valid session exists for the user, the attacker can modify all settings of the device via CSRF. If there is no valid session, but the user did not change the default admin password, the attacker can log in as admin via CSRF as well.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#3-unauthenticated-information-disclosure" id="user-content-3-unauthenticated-information-disclosure" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>3) Unauthenticated information disclosure</h3>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#4-unauthenticated-ssrf-in-dvr-devices" id="user-content-4-unauthenticated-ssrf-in-dvr-devices" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>4) Unauthenticated SSRF in DVR devices</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">In case of DVR devices, Search.cgi can be accessed without authentication. This service is responsible for searching and accessing IP cameras in the local network. In newer firmware versions, Search.cgi provides an action, which performs an HTTP request with the specified parameters. By modifying certain parameters, an attacker is able to perform arbitrary HTTP requests through the DVR device without authentication.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#5-unauthenticated-command-injection-in-dvr-devices" id="user-content-5-unauthenticated-command-injection-in-dvr-devices" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>5) Unauthenticated command injection in DVR devices</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">A certain action in Search.cgi performs HTML requests, which uses the received parameters without sanitization or verification. By exploiting this issue, an attacker can execute any system command with root privileges without authentication.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#6-authentication-bypass-1" id="user-content-6-authentication-bypass-1" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>6) Authentication bypass #1</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Video player plugins are stored in the web root, which can be accessed and downloaded without authentication.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#7-authentication-bypass-2" id="user-content-7-authentication-bypass-2" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>7) Authentication bypass #2</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Certain Cgi scripts can be accessed without authentication. If a request contains a special string, it can bypass the authentication.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#8-unauthenticated-file-download-from-web-root" id="user-content-8-unauthenticated-file-download-from-web-root" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>8) Unauthenticated file download from web root</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">By exploiting this vulnerability any file in the web root can be downloaded without authentication.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#9-login-captcha-bypass-1" id="user-content-9-login-captcha-bypass-1" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>9) Login captcha bypass #1</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">To prevent brute-forcing attempts, Avtech devices require a captcha for login requests. However, if the login requests contain a specially crafted parameter, the captcha verification is bypassed.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#10-login-captcha-bypass-2" id="user-content-10-login-captcha-bypass-2" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>10) Login captcha bypass #2</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Instead of using a random session ID, Avtech devices use the base64-encoded username and password as the Cookie value. If an attacker sets the Cookie manually, the captcha verification can by bypassed easily.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#11-authenticated-command-injection-in-cloudsetupcgi" id="user-content-11-authenticated-command-injection-in-cloudsetupcgi" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>11) Authenticated command injection</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Devices that support the Avtech cloud implement a feature that can be abused to execute arbitrary system commands with root privileges.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#12-authenticated-command-injection-in-adcommandcgi" id="user-content-12-authenticated-command-injection-in-adcommandcgi" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>12) Authenticated command injection</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Some of the Avtech devices contain a function to perform ActionD commands. This function can be accessed only after authentication. Since there is no verification or white list-based checking of the parameters of this function, an attacker can execute arbitrary system commands with root privileges.</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#13-authenticated-command-injection-in-pwdgrpcgi" id="user-content-13-authenticated-command-injection-in-pwdgrpcgi" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>13) Authenticated command injection</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">The user maintenace function uses the username, password and group parameters in a new user creation or modification request in a system command without validation or sanitization. Thus and attacker can execute arbitrary system commands with root privileges. We are aware that this vulnerability is being exploited in the wild!</p>

<h3 style="margin-top: 24px; margin-bottom: 16px; font-size: 1.25em; line-height: 1.25; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#14-https-used-without-certificate-verification" id="user-content-14-https-used-without-certificate-verification" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>14) HTTPS used without certificate verification</h3>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Several scripts use wget to access HTTPS sites, by specifying the no-check-certificate parameter. Thus wget skips server certificate verification and a MITM attack is possible against the HTTPS communication.</p>

<h2 style="margin-top: 24px; margin-bottom: 16px; line-height: 1.25; padding-bottom: 0.3em; border-bottom: 1px solid #eeeeee; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#timeline" id="user-content-timeline" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>Timeline</h2>

<li>2015.10.19: First attempt to contact with Avtech, but we did not receive any response</li>

<li style="margin-top: 0.25em;">2016.05.24: Second attempt to contact Avtech without any response</li>

<li style="margin-top: 0.25em;">2016.05.27: Third attempt to contact Avtech by sending e-mail to public Avtech e-mail addresses. We did not receive any response.</li>

<li style="margin-top: 0.25em;">2016.09.10: Forth attempt to contact Avtech without any response</li>

<li style="margin-top: 0.25em;">2016.10.11: Full disclosure</li>

</ul>

<h2 style="margin-top: 24px; margin-bottom: 16px; line-height: 1.25; padding-bottom: 0.3em; border-bottom: 1px solid #eeeeee; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#recommendations" id="user-content-recommendations" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>Recommendations</h2>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">Please consult AVTech homepage for firmware updates meanwhile you should take the following steps to protect your device:</p>

<li>Change the default admin password</li>

<li style="margin-top: 0.25em;">Operate your devices behind a firewall</li>

</ul>

<h2 style="margin-top: 24px; margin-bottom: 16px; line-height: 1.25; padding-bottom: 0.3em; border-bottom: 1px solid #eeeeee; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';"><a href="https://github.com/ebux/AVTECH#credits" id="user-content-credits" class="anchor" style="color: #4078c0; text-decoration: none; float: left; padding-right: 4px; margin-left: -20px; line-height: 1;"></a>Credits</h2>

<p style="margin-top: 0px; margin-bottom: 16px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">These vulnerabilities were discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (<a href="http://www.search-lab.hu/" style="color: #4078c0; text-decoration: none;">www.search-lab.hu</a>)</p>

<p style="margin-top: 0px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">[1] <a href="/advisories/126-avtech-devices-multiple-vulnerabilities">https://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities</a></p>

<p style="margin-top: 0px; color: #333333; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px;">[2] <a href="/media/vulnerability_matrix.txt">vulnerability_matrix.txt</a></p>

Search-Lab Kft.

Avtech devices multiple vulnerabilities

Updates to the original advisory

Platforms / Firmware confirmed affected:

Vulnerabilities

1) Plaintext storage of administrative password

2) Missing CSRF protection

3) Unauthenticated information disclosure

4) Unauthenticated SSRF in DVR devices

5) Unauthenticated command injection in DVR devices

6) Authentication bypass #1

7) Authentication bypass #2

8) Unauthenticated file download from web root

9) Login captcha bypass #1

10) Login captcha bypass #2

11) Authenticated command injection

12) Authenticated command injection

13) Authenticated command injection

14) HTTPS used without certificate verification

Timeline

Recommendations

Credits

References