How to hack the CP Plus CCTV systems?
“CP PLUS offers a comprehensive range of advanced security and surveillance solutions to meet the ever-changing requirements of different industries. At present, we are serving many different verticals comprising defence, government, hotels, hospitals, educational institutes, homes, infrastructure, and transportation among others. Being a major surveillance system brand globally, we bring efficient, reliable, scalable, and integrated solutions to our customers.”
The above text appears as soon as you open http://www.cpplusworld.com/. They are offering security solutions without security in their software and technology. That is a wonderful strategy.
Well, even after multiple explanations and proofs to this company, they are not serious about fixing this major security issue in their CCTV DVR. This vulnerability can be exploited until they fix the way Authentication is designed/implemented. Take a look at the simple steps (intentionally tried to keep it mostly non-technical)
Vulnerable product: CP Plus DVR
Version: All
Description: Account takeover through authentication bypass of the CP Plus DVR using forgot password functionality
Severity: High
Pre-Requisite:
An active CP Plus DVR system
A smartphone device installed with any QR CODE reader app
PoC/Steps to Reproduce
On the screen where multiple windows of cameras are displayed, select the Admin login option through the settings or right-click to navigate to this admin login screen.
Click on the “Forgot Password” link on the screen.
The user will be asked to enter the registered email id.
But we are free to enter any email id and click on “Next”.
Open the QR Code reader/scanner app on the mobile device and scan the QR code appearing on the screen.
The QR code will be converted into a string value.
From the email id which is entered in #3 compose an email sharing the string value and send it to: resetpwd@cpplusworld.com
Within the next 5 to 10 minutes we will receive an email with a security code along with the serial number of the product.
Enter the security code on the screen in the required field and click on “Next”.
We are free to set our own new password now and log in as an admin.
With this admin privilege, we can check the CCTV logs, copy the footages to our mobile or USB devices, modify the recording settings, delete the recordings/footages, and perform all the activities.
Enjoy!
