Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit

Title: Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit
Advisory ID: ZSL-2020-5613
Type: Local/Remote
Impact: Security Bypass
Risk: (3/5)
Release Date: 24.12.2020
Summary
Arteco DVR/NVR is a mountable industrial surveillance server ideal for those who need to manage IP video surveillance designed for medium to large installations that require high performance and reliability. Arteco can handle IP video sources from all major international manufacturers and is compatible with ONVIF and RTSP devices.
Description
The Session ID 'SessionId' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and disclose the live camera stream.
Vendor
Arteco S.U.R.L. - https://www.arteco-global.com
Affected Version
N/A
Tested On
Microsoft Windows 10 Enterprise
Apache/2.4.39 (Win64) OpenSSL/1.0.2s
Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m
Arteco-Server
Vendor Status
[16.11.2020] Vulnerability discovered.
[10.12.2020] Vendor contacted.
[23.12.2020] No response from the vendor.
[24.12.2020] Public security advisory released.
PoC
arteco_session.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/160718
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/193750
[3] https://cxsecurity.com/issue/WLB-2020120170
[4] https://www.exploit-db.com/exploits/49348
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/194139
Changelog
[24.12.2020] - Initial release
[27.12.2020] - Added reference [1], [2] and [3]
[05.01.2021] - Added reference [4]
[22.01.2021] - Added reference [5]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk