← Advisories

COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS

High

Advisory ID

ZSL-2021-5666

Release Date

15 August 2021

Vendor

COMMAX Co., Ltd. - https://www.commax.com

Affected Version

N/A

CVE

N/A

Tested On

GoAhead-Webs

Summary

COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety.

Description

The application allows an unauthenticated attacker to change the configuration of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint.

Proof of Concept

commax_cctvwrite.txtTXT

Disclosure Timeline

02.08.2021Vulnerability discovered.

03.08.2021Vendor contacted.

04.08.2021Vendor contacted.

05.08.2021No response from the vendor.

06.08.2021Vendor contacted.

14.08.2021No response from the vendor.

15.08.2021Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.zeroscience.mk/#/advisories/ZSL-2021-5665

[2]https://www.exploit-db.com/exploits/50209

[3]https://packetstormsecurity.com/files/163852

[4]https://cxsecurity.com/issue/WLB-2021080066

[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/207573

Changelog

15.08.2021Initial release

23.08.2021Added reference [2], [3], [4] and [5]