BEWARD Intercom 2.3.1 Credentials Disclosure

Title: BEWARD Intercom 2.3.1 Credentials Disclosure
Advisory ID: ZSL-2019-5505
Type: Local
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (3/5)
Release Date: 27.01.2019
Summary
Multiaccessible User Operation, Electronic Lock Control, Real-Time Video, Two-Way Audio. The software is used for BEWARD IP video door stations control.
Description
The application stores logs and sensitive information in an unencrypted binary file called BEWARD.INTERCOM.FDB. A local attacker that has access to the current user session can successfully disclose plain-text credentials that can be used to bypass authentication to the affected IP camera and door station and bypass access control in place.
Vendor
Beward R&D Co., Ltd - https://www.beward.net
Affected Version
2.3.1.34471
2.3.0
2.2.11
2.2.10.5
2.2.9
2.2.8.9
2.2.7.4
Tested On
Microsoft Windows 10 Home (EN)
Microsoft Windows 7 SP1 (EN)
Vendor Status
[28.11.2018] Vulnerability discovered.
[30.11.2018] Vendor contacted.
[30.11.2018] Received automated confirmation of message receipt and assigned Ticket ID: NCG-690-71011.
[26.01.2019] No response from the vendor.
[27.01.2019] Public security advisory released.
PoC
beward_creds.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.beward.net/product/5411
[2] https://packetstormsecurity.com/files/151345
[3] https://cxsecurity.com/issue/WLB-2019010265
[4] https://www.exploit-db.com/exploits/46267
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/156274
Changelog
[27.01.2019] - Initial release
[29.01.2019] - Added reference [2], [3] and [4]
[31.01.2019] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk