Title: Akuvox Smart Intercom/Doorphone Unauthenticated Stream Disclosure
Advisory ID: ZSL-2024-5826
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (3/5)
Release Date: 20.08.2024

Summary

Vandal-resistant Door Phone for High-end Buildings. Offering top-of-the-line features, Akuvox X912 is targeted at high-end residential and commercial projects. With a compact size, it is perfect for buildings with limited installation space.

Description

The application suffers from an unauthenticated live stream disclosure when requesting video.cgi endpoint on port 8080.

Vendor

The Akuvox Company - https://www.akuvox.com

Affected Version

Doorphone:
S539
S532
X916
X915
X912
R29
Intercom:
R20K-2
R20A-2
C313W-2
NS-2
NC-2
NX-2
Firmware: 912.30.1.137

Tested On

lighttpd/1.4.30
EasyHttpServer

Vendor Status

[25.02.2024] Vulnerability discovered.
[19.03.2024] Vendor contacted.
[20.03.2024] Vendor responds asking for more details. Sends PGP key.
[22.03.2024] Replied to the vendor.
[29.03.2024] Vendor starts working on a fix.
[02.04.2024] Working with the vendor.
[03.07.2024] Vendor releases version 915.30.10.146 to address this issue.
[20.08.2024] Coordinated public security advisory released.

PoC

akuvox_stream.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/180262/

Changelog

[20.08.2024] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk