← Advisories

Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit

Medium
Advisory ID
ZSL-2020-5613
Release Date
24 December 2020
Vendor
Arteco S.U.R.L. - https://www.arteco-global.com
Affected Version
N/A
CVE
CVE-2020-36925
Tested On
Microsoft Windows 10 Enterprise, Apache/2.4.39 (Win64) OpenSSL/1.0.2s, Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m, Arteco-Server
Summary

Arteco DVR/NVR is a mountable industrial surveillance server ideal for those who need to manage IP video surveillance designed for medium to large installations that require high performance and reliability. Arteco can handle IP video sources from all major international manufacturers and is compatible with ONVIF and RTSP devices.

Description

The Session ID 'SessionId' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and disclose the live camera stream.

Proof of Concept
arteco_session.pyTXT
Disclosure Timeline
16.11.2020Vulnerability discovered.
10.12.2020Vendor contacted.
23.12.2020No response from the vendor.
24.12.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/160718
[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/193750
[3]https://cxsecurity.com/issue/WLB-2020120170
[4]https://www.exploit-db.com/exploits/49348
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/194139
[6]https://www.cve.org/CVERecord?id=CVE-2020-36925
Changelog
24.12.2020Initial release
27.12.2020Added reference [1], [2] and [3]
05.01.2021Added reference [4]
22.01.2021Added reference [5]
24.03.2026Added reference [6]