Samsung NVR WebViewer Remote DoS Vulnerability — CVE-2019-12223

Samsung branded NVRs (Network Video Recorders), firmware released prior to May 3rd 2019 and running the WebViewer management software, specifically the SRN models, are vulnerable to a remote denial of service attack. The attacker can overflow the username field to force a restart of the system rendering it useless for the duration of the attack.

I informed the company of the vulnerability and they have both acknowledged and patched the issue.

Technical Details

Exploiting the vulnerability is trivial and requires very low skill level. It can be accomplished manually via the web interface or automated via a Curl command or other programmatic HTTP libraries and tools.

Exploit Via Web Interface

Open Developer Tools (F12) from the web browser after loading the NVR WebViewer login page and edit the maxlength field for the login_id input from 16 to 200.

Enter 200 characters in the ID field and enter any password.

Click Login. You should receive a 500 error.

Refresh the page. The SRN device is now rebooting.

Exploit Via Curl (Programmatic)

Enter the following command with the victim ip address and port

Note the “Main Process Connect Fail!” message in the response below.

MetaSploit Module

I have a working MetaSploit module ready to submit so keep your eyes peeled.

CVSS Score

The Common Vulnerability Scoring System calculator scores this vulnerability at 7.5

Shodan.io

A quick Shodan search turns up over 13,000 potentially vulnerable devices that are public facing across the Internet