Remote Code Execution in CCTV-DVR affecting over 70 different vendors

This post is going to be a follow up from a research which dates back to December 2014, called "The Backoff POS Trojan operation". Back then, one of the key conclusions highlighted from the report is that fraudsters are adopting new tactics in order to attack retailers. This new attack vector is to compromise DVR boxes, which is the heart component of any CCTV system. This was allowing them to achieve two goals at once-

1. Verify a targeted host actually belongs to a retailer.
2. Get a foothold inside the local network, one step closer to the POS station.

Surveillance cameras, the first line of security in the physical world, are the virtual's weakest link?This sparks an amusing irony. When the old fashion thieves used to physically break into stores, on their way to the cashier they had to try and avoid or neutralize any surveillance equipment. The digital thieves are entering the store through them. Truly Hollywood  material.

Timing attack vulnerability in Zeus server-sides

Timing attacks has proven practical since 96' as shown in a paper by Paul C. Kocher. In his paper Paul demonstrate how, by effectively measuring the amount of time required for private key operation, one could completely uncover the private key. This attack was shown to be effective against widely known crypto-systems such as Diffie-Hellman, RSA and DSS.

Almost ten years later on 2004, another research paper was published by Dan Boneh and David Brumley, entitled "Remote Timing Attacks are Practical" claiming that timing attack as shown in Paul C. Kocher paper are also practical remotely. Their research shows a successful attack against a remote instance of Apache server using OpenSSL running on local network.

Then, in Crosby paper and also in Daniel Mayer & Joel Sandin paper they documented an  extensive bench-marking work to determine what is actually the smallest processing time frame that can be measured across the different hardware and networking setups.

Now, to tell you the truth, I didn't know a thing about these publications or much of the existence of timing attacks when I found this vulnerability in Zeus botnet's server-side about three years ago. Even though i didn't use much of the mentioned knowledge in my research, I decided to give this intro for people who would like to expand their knowledge about these attacks.

The vulnerability I've discovered is basically a timing attack which enable a remote attacker to resolve the length in characters of the reports directory name by carefully measuring the response time of the server. While this vulnerability maybe considered as low risk, as well as found on fraudulent piece of software, I find its nature to be a very interesting and intriguing case-study which could be of a good use for future researchers.

LiteSpeed Admin Panel XSS

A vulnerability I’ve found quite some time ago in LiteSpeed <= 4.1.11 HTTP server. Basically a simple reflected XSS(Cross Site Scripting) in the administrator panel which is another instance of the HTTP server running on port 7080.

If an attacker succeed in convincing an administrator with an active session to enter a maliciously crafted link using this vulnerability an attacker may perform malicious act such as creating a new user with administrator privileges or in other words – Pwnage.

To reproduce:
http://lightspeed-server:7080/service/graph_html.php?gtitle=VHOSTa%3Cscript%3Ealert%28document.cookie%29%3C/script%3E