← Advisories

iSeeQ Hybrid DVR WH-H4 1.03R / 2.0.0.P (get_jpeg) Stream Disclosure

Medium

Advisory ID

ZSL-2019-5539

Release Date

29 October 2019

Vendor

iSeeQ - http://www.iseeq.co.kr

Affected Version

WH-H4 1.03R / 2.0.0.P

CVE

CVE-2019-25236

Tested On

Boa/0.94.13, PHP/7.0.22, DVR Web Server

Summary

The 4/8/16 channel hybrid standalone DVR delivers high quality pictures which adopts high performance video processing chips and embedded Linux system. This advanced video digital platform is very useful to identify an object from a long distance.

Description

The DVR suffers from an unauthenticated and unauthorized live stream disclosure when get_jpeg script is called.

Proof of Concept

iseeq_dvrstream.shTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/155032

[2]https://www.exploit-db.com/exploits/47562

[3]https://cxsecurity.com/issue/WLB-2019100192

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/170650

[5]https://www.cve.org/CVERecord?id=CVE-2019-25236

Changelog

29.10.2019Initial release

31.10.2019Added reference [1], [2] and [3]

01.11.2019Added reference [4]

23.03.2026Added reference [5]