Security researcher Andrea Fabrizi has disclosed a vulnerability in Samsung DVRs, through full disclosure, which allows unauthorized users to access protected pages using a simple technique of using any arbitrary cookie in HTTP requests.
According to Fabrizi, Samsung uses nearly the same firmware in all its DVR products because of which many models of the DVR are vulnerable. The DVR firmware is based on an embedded Linux system and uses lighttpd webserver and CGI pages for the front end interface.
The full disclosure mail notes that authentication data for the DVR is tracked through base64 encoded username and password in two cookies named DATA1 and DATA2. The researcher claims that for most of the CGI pages session checks are “made in a wrong way” allowing access to protected pages and the vulnerability can be exploited by using an “arbitrary an arbitrary cookie into the HTTP request.”
An unauthenticated user can set and delete usernames and passwords, change DVR general configurations, change NTP server details among other things. Some of the CGIs which are vulnerable include
/cgi-bin/camera_privacy_area, /cgi-bin/dev_devinfo, /cgi-bin/dev_monitor, /cgi-bin/net_ddns, /cgi-bin/net_group, /cgi-bin/net_user, /cgi-bin/net_snmp, /cgi-bin/setup_user, /cgi-bin/setup_userpwd among others.
We have requested for comments from Samsung but, haven’t heard back anything yet. We will update the story as and when we hear something from Samsung.