Samsung provides a wide range of DVR products, all working with nearly the same firmware. The firmware it's a Linux embedded system that expose a web interface through the lighttpd webserver and CGI pages. The authenticated session is tracked using two cookies, called DATA1 and DATA2, containing respectively the base64 encoded username and password. So, the first advise for the developers is to don't put the user credentials into the cookies! Anyway, the critical vulnerability is that in most of the CGI, the session check is made in a wrong way, that allows to access protected pages simply putting an arbitrary cookie into the HTTP request. Yes, that's all. This vulnerability allows remote unauthenticated users to: - Get/set/delete username/password of local users (/cgi-bin/setup_user) - Get/set DVR/Camera general configuration - Get info about the device/storage - Get/set the NTP server - Get/set many other settingsIt turns out that the major Samsung home surveillance DVR have this security flaw. Essentially all the username and passwords are unhashed and can be retrieved by using an arbitary cookie. The source code that retrieves this info is included here:
If you want to verify whether your device is vulnerable, check out :
http://ismysamsungdvrhacked.appspot.com/ (GitHub code here)
Hoping to find that Samsung fixed the issue, I went to http://www.samsungsv.com/Support/DVRFirmwareUpdate and discovered that the firmware versions have yet to be updated.
Why does this issue matter? For one, Samsung provides a Dynamic DNS service at samsungipolis.com (i.e. http://samsungipolis.com/home1) that enables customers to have their systems devices report the IP location. This IP address is stored by Samsung and provides a redirect to the owner's hosted cameras.
$ curl http://www.samsungipolis.com/testing <body> <meta http-equiv="refresh" content="0;url=http://18.104.22.168:80"/> </body>In other words, all you have to do is find a name that's using Samsung's Dynamic DNS service, point the Python script at this IP, and assuming the owner has enabled remote web interface access for the user account, you can login to their service (and possibly gain admin access to make any changes). You obviously have to use Internet Explorer to test, since the plug-ins were built in Silverlight. (If you get a blank white screen, you're probably using a non-IE browser.)
I've sent a note to their customer support and tweeted to them about this unpatched security flaw (now going on 3 months) If you are running one of these systems, you're best option is to disable the web interface until this flaw is patched.
Update (12/1/2013): Samsung's web site at samsungsv.com does not have the updated firmware images, but you can sign up for a free account at http://developer.samsungtechwin.com and get access to newer versions of the firmware.
For the SDE-5001 DVR device, for instance, the latest version is v1.05. However, this last update was made on 01/2013, about a year ago, which suggests that the patch has yet to be applied. Also, by mounting the flash image, we can also see that the binary for the cgi_login program which has this security hole does not appear to have changed since the v1.02 version. I also checked the lighttpd configuration and did not see any differences in the files. In other words, the security flaw still seems to exist.