CVE-2018-9995
published 2018-04-10CVE-2018-9995: TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run…
PriorityP196critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
83.15%
99.6th percentile
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2018-9995 exploitation attempts by matching HTTP GET requests to /device.rsp?opt=user&cmd=list that include a Cookie header with uid=admin ↗
- →GreyNoise internal query pattern for this exploit: match packets where data contains GET /device.rsp?opt=user&cmd=list and user=admin ↗
- →Exploitation of CVE-2018-9995 returns JSON data containing user credentials (uid, pwd, role fields); monitor HTTP responses from DVR devices for JSON lists with these fields following a /device.rsp?opt=user&cmd=list request ↗
- ·The vulnerability affects TBK DVR4104 and DVR4216 devices as well as multiple re-branded variants (Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, MDVR Login); detection rules should account for all affected brands ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mjcj-jjh8-28r2: TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which ru
ghsa_unreviewed·2022-05-13
CVE-2018-9995 [CRITICAL] GHSA-mjcj-jjh8-28r2: TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which ru
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
VulnCheck
tbkvision tbk-dvr4216_firmware Improper Authentication
vulncheck·2018·CVSS 9.8
CVE-2018-9995 [CRITICAL] tbkvision tbk-dvr4216_firmware Improper Authentication
tbkvision tbk-dvr4216_firmware Improper Authentication
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
Affected: tbkvision tbk-dvr4216_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.csk.gov.in/alerts/STOP_ransomware.html; https://for
Suricata
ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)
suricata·2019-09-09·CVSS 9.8
CVE-2018-9995 [CRITICAL] ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)
ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/device.rsp?opt=user&cmd=list"; startswith; fast_pattern; http.cookie; content:"uid=admin"; nocase; reference:url,github.com/ezelf/CVE-2018-9995_dvr_credentials; reference:cve,2018-9995; classtype:attempted-admin; sid:2027971; rev:5; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, cve CVE_2018_9995, deployment Perimeter, signature_severity Major, updated_at 2024_04_13;)
Exploit-DB
TBK DVR4104 / DVR4216 - Credentials Leak
exploitdb·2018-05-02
CVE-2018-9995 TBK DVR4104 / DVR4216 - Credentials Leak
TBK DVR4104 / DVR4216 - Credentials Leak
---
# -*- coding: utf-8 -*-
import json
import requests
import argparse
import tableprint as tp
class Colors:
BLUE = '\033[94m'
GREEN = '\033[32m'
RED = '\033[0;31m'
DEFAULT = '\033[0m'
ORANGE = '\033[33m'
WHITE = '\033[97m'
BOLD = '\033[1m'
BR_COLOUR = '\033[1;37;40m'
banner = '''
__..--.._
..... .--~ ..... `.
.": "`-.. . .' ..-'" :". `
` `._ ` _.'`"( `-"'`._ ' _.' '
~~~ `. ~~~
.'
/
(
^---'
[*] @capitan_alfa
'''
details = '''
# Exploit Title: DVRs; Credentials Exposed
# Date: 09/04/2018
# Exploit Author: Fernandez Ezequiel ( @capitan_alfa )
'''
parser = argparse.ArgumentParser(prog='getDVR_Credentials.py',
description=' [+] Obtaining Exposed credentials',
epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81',
version="1.
Nuclei
TBK DVR4104/DVR4216 Devices - Authentication Bypass
nuclei·CVSS 9.8
CVE-2018-9995 [CRITICAL] TBK DVR4104/DVR4216 Devices - Authentication Bypass
TBK DVR4104/DVR4216 Devices - Authentication Bypass
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and
MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass
authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
Template:
id: CVE-2018-9995
info:
name: TBK DVR4104/DVR4216 Devices - Authentication Bypass
author: princechaddha
severity: critical
description: |
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and
MDVR Login, which run re-branded versions of the
arXiv
What are Attackers after on IoT Devices? An approach based on a multi-phased multi-faceted IoT honeypot ecosystem and data clustering
arxiv_fulltext·2021-12-21
What are Attackers after on IoT Devices? An approach based on a multi-phased multi-faceted IoT honeypot ecosystem and data clustering
What are Attackers after on IoT Devices?
An approach based on a multi-phased multi-faceted IoT honeypot ecosystem and data clustering
Armin Ziaie Tabari
[email protected]
0000-0002-6075-2082
University of South Florida
Tampa
FL
USA
Xinming Ou
[email protected]
University of South Florida
Tampa
FL
USA
Anoop Singhal
[email protected]
National Institute of Standards and Technology
Gaithersburg
Maryland
USA
## Abstract
The growing number of Internet of Things (IoT) devices makes it
imperative to be aware of the real-world threats they face
in terms of cybersecurity.
While honeypots have been historically used as decoy
devices to help researchers/organizations gain a better
understanding of the dynamic of threats on a network and their
impact, IoT devices pose a unique
challenge for t
arXiv
A First Step Towards Understanding Real-world Attacks on IoT Devices
arxiv_fulltext·2020-03-02
A First Step Towards Understanding Real-world Attacks on IoT Devices
A First Step Towards Understanding Real-world Attacks on IoT Devices
Armin Ziaie Tabari Xinming Ou
[email protected] [email protected]
Department of Computer Science and Engineering
University of South Florida
Tampa, FL, USA
## Abstract
With the rapid growth of Internet of Things (IoT) devices, it is
imperative to proactively understand the real-world cybersecurity
threats posed to them. This paper describes our initial efforts
towards building a honeypot ecosystem as a means to gathering and
analyzing real attack data against IoT devices. A primary condition
for a honeypot to yield useful insights is to let attackers believe
they are real systems used by humans and organizations. IoT devices
pose unique challenges in this respect, due to the large variety of
device types and the
Tenable
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
blogs_tenable·2025-01-03
Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
blogs_bleepingcomputer·2024-12-16·CVSS 9.8
[CRITICAL] FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## FBI spots HiatusRAT malware attacks targeting web cameras, DVRs
## Sergiu Gatlan
The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online.
As a private industry notification (PIN) published on Monday explains, the attackers focus their attacks on Chinese-branded devices that are still waiting for security patches or have already reached the end of life.
"In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom," the FBI said . "The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak
Greynoiseio
Data Science-Fueled Tagging From GreyNoise Last Week
blogs_greynoiseio
Data Science-Fueled Tagging From GreyNoise Last Week
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Anatomy of a GreyNoise Tag
blogs_greynoiseio
Anatomy of a GreyNoise Tag
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://misteralfa-hack.blogspot.cl/2018/04/tbk-vision-dvr-login-bypass.htmlhttp://misteralfa-hack.blogspot.cl/2018/04/update-dvr-login-bypass-cve-2018-9995.htmlhttps://www.bleepingcomputer.com/news/security/new-hacking-tool-lets-users-access-a-bunch-of-dvrs-and-their-video-feeds/https://www.exploit-db.com/exploits/44577/http://misteralfa-hack.blogspot.cl/2018/04/tbk-vision-dvr-login-bypass.htmlhttp://misteralfa-hack.blogspot.cl/2018/04/update-dvr-login-bypass-cve-2018-9995.htmlhttps://www.bleepingcomputer.com/news/security/new-hacking-tool-lets-users-access-a-bunch-of-dvrs-and-their-video-feeds/https://www.exploit-db.com/exploits/44577/
2018-04-10
Published
Exploited in the wild