Title: Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit
Advisory ID: ZSL-2020-5613
Type: Local/Remote
Impact: Security Bypass
Risk: (3/5)
Release Date: 24.12.2020

Summary

Arteco DVR/NVR is a mountable industrial surveillance server ideal for those who need to manage IP video surveillance designed for medium to large installations that require high performance and reliability. Arteco can handle IP video sources from all major international manufacturers and is compatible with ONVIF and RTSP devices.

Description

The Session ID 'SessionId' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and disclose the live camera stream.

Vendor

Arteco S.U.R.L. - https://www.arteco-global.com

Affected Version

N/A

Tested On

Microsoft Windows 10 Enterprise
Apache/2.4.39 (Win64) OpenSSL/1.0.2s
Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m
Arteco-Server

Vendor Status

[16.11.2020] Vulnerability discovered.
[10.12.2020] Vendor contacted.
[23.12.2020] No response from the vendor.
[24.12.2020] Public security advisory released.

PoC

arteco_session.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/160718
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/193750
[3] https://cxsecurity.com/issue/WLB-2020120170
[4] https://www.exploit-db.com/exploits/49348
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/194139

Changelog

[24.12.2020] - Initial release
[27.12.2020] - Added reference [1], [2] and [3]
[05.01.2021] - Added reference [4]
[22.01.2021] - Added reference [5]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk