COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure

Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure
Advisory ID: ZSL-2021-5665
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 15.08.2021
Summary
COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety.
Description
The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose RTSP credentials in plain-text.
Vendor
COMMAX Co., Ltd. - https://www.commax.com
Affected Version
N/A
Tested On
GoAhead-Webs
Vendor Status
[02.08.2021] Vulnerability discovered.
[03.08.2021] Vendor contacted.
[04.08.2021] Vendor contacted.
[05.08.2021] No response from the vendor.
[06.08.2021] Vendor contacted.
[14.08.2021] No response from the vendor.
[15.08.2021] Public security advisory released.
PoC
commax_cctvcreds.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php
[2] https://www.exploit-db.com/exploits/50208
[3] https://packetstormsecurity.com/files/163849
[4] https://cxsecurity.com/issue/WLB-2021080065
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/207571
Changelog
[15.08.2021] - Initial release
[23.08.2021] - Added reference [2], [3], [4] and [5]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk