← Advisories

COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure

Medium
Advisory ID
ZSL-2021-5665
Release Date
15 August 2021
Vendor
COMMAX Co., Ltd. - https://www.commax.com
Affected Version
N/A
CVE
N/A
Tested On
GoAhead-Webs
Summary

COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety.

Description

The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose RTSP credentials in plain-text.

Proof of Concept
commax_cctvcreds.txtTXT
Disclosure Timeline
02.08.2021Vulnerability discovered.
03.08.2021Vendor contacted.
04.08.2021Vendor contacted.
05.08.2021No response from the vendor.
06.08.2021Vendor contacted.
14.08.2021No response from the vendor.
15.08.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2021-5666
[2]https://www.exploit-db.com/exploits/50208
[3]https://packetstormsecurity.com/files/163849
[4]https://cxsecurity.com/issue/WLB-2021080065
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/207571
Changelog
15.08.2021Initial release
23.08.2021Added reference [2], [3], [4] and [5]