Samsung DVR vulnerability

Samsung provides a wide range of DVR products, all working with nearly the same firmware. The vulnerabile firmware, version <= 1.10, it’s a Linux embedded system that expose a web interface through the lighttpd webserver and CGI pages.

The authenticated session is tracked using two cookies, called DATA1 and DATA2, containing respectively the base64 encoded username and password. So, the first advise for the developers is to don’t put the user credentials into the cookies!

Anyway, the critical vulnerability is that in most of the CGI, the session check is made in a wrong way, which allows to access protected pages simply putting an arbitrary cookie into the HTTP request. Yes, that’s all.

This vulnerability allows remote unauthenticated users to:

Get/set/delete username/password of local users (/cgi-bin/setup_user)
Get/set DVR/Camera general configuration
Get info about the device/storage
Get/set the NTP server
Get/set many other settings

Vulnerables CGIs:

/cgi-bin/camera_privacy_area
/cgi-bin/dev_camera
/cgi-bin/dev_devinfo
/cgi-bin/dev_devinfo2
/cgi-bin/dev_hddalarm
/cgi-bin/dev_modechange
/cgi-bin/dev_monitor
/cgi-bin/dev_pos
/cgi-bin/dev_ptz
/cgi-bin/dev_remote
/cgi-bin/dev_spotout
/cgi-bin/event_alarmsched
/cgi-bin/event_motion_area
/cgi-bin/event_motiondetect
/cgi-bin/event_sensordetect
/cgi-bin/event_tamper
/cgi-bin/event_vldetect
/cgi-bin/net_callback
/cgi-bin/net_connmode
/cgi-bin/net_ddns
/cgi-bin/net_event
/cgi-bin/net_group
/cgi-bin/net_imagetrans
/cgi-bin/net_recipient
/cgi-bin/net_server
/cgi-bin/net_snmp
/cgi-bin/net_transprotocol
/cgi-bin/net_user
/cgi-bin/rec_event
/cgi-bin/rec_eventrecduration
/cgi-bin/rec_normal
/cgi-bin/rec_recopt
/cgi-bin/rec_recsched
/cgi-bin/restart_page
/cgi-bin/setup_admin_setup
/cgi-bin/setup_datetimelang
/cgi-bin/setup_group
/cgi-bin/setup_holiday
/cgi-bin/setup_ntp
/cgi-bin/setup_systeminfo
/cgi-bin/setup_user
/cgi-bin/setup_userpwd
/cgi-bin/webviewer

PoC exploit to list device users and password here