Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure

Title: Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure
Advisory ID: ZSL-2019-5532
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 08.09.2019
Rifatron with its roots in Seoul, Korea has been supplying and servicing the security market as a leading CCTV/video surveillance security system manufacturer, specializing in stand-alone digital video recorder since 1998. We are known for marking the first standalone DVR with audio detection and 480 frames per secone(fps) and have been focusing on highend products and large projects in a variety applications and merket. These include government and public services, banking and finance, hotels and entertatinment, retail education, industrial and commercial sectors throughout Europe, Middle East, the U.S. and Asia. Based on the accumulated know-how in the security industry, Rifatron is trying its utmost for the technology development and customer satisfaction to be the best security solution company in the world.
The DVR suffers from an unauthenticated and unauthorized live stream disclosure when animate.cgi script is called through Mobile Web Viewer module.
Rifatron Co., Ltd. | SAM MYUNG Co., Ltd. - http://www.rifatron.com
Affected Version
5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)
7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)
Firmware: <=8.0 (000143)
Tested On
Embedded Linux
Vendor Status
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://www.exploit-db.com/exploits/47368
[2] https://packetstormsecurity.com/files/154417
[3] https://cxsecurity.com/issue/WLB-2019090065
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/166805
[08.09.2019] - Initial release
[17.09.2019] - Added reference [1], [2], [3] and [4]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk