Newly discovered vulnerabilities affecting DVR systems could open the door to new, more potent Internet of Things (IoT) botnets, Pen Test Partners security researchers warn.
Following months of investigation into the hardware and software security of more than 30 DVR brands, the researchers discovered a series of flaws that Mirai and other IoT botnets didn’t use, but which could have made these threats far more destructive. These include new telnet credentials and interfaces, as well as an exploitable buffer overflow over port 80 that impacts over 1 million devices.
The researchers also discovered new DVR brands that are vulnerable to Mirai, but which researchers didn’t know about before, and say that DVRs can be used to disable house alarms. They also note that Mirai could have used more default telnet credentials (qazxsw), along with new telnet interfaces that run on port other than 23.
The researchers found the non-standard telnet port 12323 that is used by some DVRs and which uses the same default credentials targeted by Mirai, along with an interface on TCP/9527, with credentials such as admin/blank or admin/123456, or similar, which led to a shell. Via directory traversal, an attacker could abuse the interface to recover the hashed passwords and crack them offline.
The source of the Mirai issue, the researchers suggest, is represented by the manner in which DVR vendors customized the products received from a single original design manufacturer (ODM) called XiongMai. Although vendors could change default credentials, they apparently had only a limited number of credentials to shuffle, and Mirai covers all of them.
However, botnets such as Mirai and Hajime aren’t the biggest threats to DVRs, the Pen Test Partners team argues. Because on some devices the web server running on port 80 is vulnerable to a buffer overflow via the GET request, code execution is possible, and remote access is possible. A botnet exploiting the issue could be larger than Mirai, the researchers say.
A debug interface running on port 9527 and which is present on most XM-based DVRs allows shell access as root with the credentials used for DVR login. Because the interface is port-forwarded by default, it’s likely discoverable on the public Internet in a home user & SME environment. It also packs a directory traversal vulnerability (CVE-2017-7577) and easily guessable default credentials.
The researchers also suggest that BrickerBot, a piece of IoT malware targeting the same devices as Mirai but completely disabling them, was actually meant to be a healing worm, but didn’t work as intended. The issue, they say, is that DVRs run a cut-down version of busybox, which lacks commands for the functionality BrickerBot wants to use. The malware, however, was set to brick the device if it couldn’t fix its vulnerabilities.
The Pen Test Partners researchers also say they found a way to remotely fix Mirai vulnerable devices. However, they decided against publishing the underlying details because the very same method can be used to make Mirai even more potent than it already is, by providing it with persistence over reboots.