CVEID: CVE-2015-4464

SUBJECT: Insufficient Authorization Checks Request Handling Remote
Authentication Bypass for Kguard Digital Video Recorders

DESCRIPTION: A deficiency in handling authentication and authorization
has been found with Kguard 104/108/v2 models. While password-based
authentication
is used by the ActiveX component to protect the login page, all the
communication
to the application server at port 9000 allows data to be communicated
directly
with insufficient or improper authorization.

CVSS Base Score: 9.7
CVSS Temporal Score: 8.3
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:P/E:F/RL:U/RC:UR)

Affected Products and Versions

Kguard Digital Video Recorders: KG-SHA104/KG-SHA108/v2. Other variants
that runs
the same firmware from Zhuhai Raysharp Technology Co Ltd, are believed to
be vulnerable.

Exploit / Proof of Concept:

https://goo.gl/L5ASRo

Remediation/Fixes

None.

Workarounds and Mitigations

See: [06]

References:

[01] http://www.securityfocus.com/archive/1/534830
[02]
http://us.kworld-global.com/main/prod_in.aspx?mnuid=1306&modid=10&prodid
=527
[03] http://osvdb.org/show/osvdb/119402
[04] http://osvdb.org/show/osvdb/119422
[05] http://osvdb.org/show/osvdb/119403
[06]
https://www.academia.edu/11677554/Kguard_Digital_Video_Recorders_Multipl
e_Vulnerabilities
0? *?H?÷

 ?0?$Ò

10 +0 *?H?÷


 ?!0?0?
apËI?_?E)ç°¦ÙP[z0
 *?H?÷


0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G30
991001000000Z
360716235959Z0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G30?
"0
 *?H?÷



?
0?

?

¯

ÂÕ,Ûg¹-å?'Ý¥¾à°M³aV<Ö|ÃôÍ>?Ë¢?âáؤiŵâ¿Á¦GP^F9?Õ?ºµo¿Î'?G?1zØÙÓ7
?­,Gð?§
0ë÷< ÜrFî¥È[ÃÉViLÅÁ?{Õ?¼ïÃH>F` ?*Ր¶Í? Ì2Ý·ý@U²PV®ÌwMÇ M§1vïh??V²­i£RÐËÄ#=?þLèc?Æ?ö1öÒúåvݵ?£IÍÍ
ÍhÍ©iº£ë
?¤ ¦Á ÅÑFLmÒ¬f???à?Ô6ÿ"YÅù`¨_}òö%BaÄJ¸>?

0
 *?H?÷


?

4&<ÀMCI½é!?×f?·ÞŸÐä]_v"À&ù?::ù?µûì`ñèΰÈݧ0ó?ߤæ¤1ßÓFÜr
?®î<¤3?9¬pxsK?+ß0ÂT°¨;U¡þ(ÍB½tn?Û'D§ÎD]Ԑ?
B?±,Ðt£"ccÍ?µûÁmbkiuý]pA¹õ¿|ß¾Á2s"!?X{?zºãdH°û6%Ú?Ðñ$Ý?kF#9Tõ?
b ?¦?æ%âBEª¸­¾©B?Ïr9á±Cà(Ï·çZlkI³ÿã|??3]¬3קùÚ:UÉXùªïZ¶ÏKKß*0?
0?
apËI?_?E)ç°¦ÙP[z0
 *?H?÷


0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G30
991001000000Z
360716235959Z0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G30?
"0
 *?H?÷



?
0?

?

¯

ÂÕ,Ûg¹-å?'Ý¥¾à°M³aV<Ö|ÃôÍ>?Ë¢?âáؤiŵâ¿Á¦GP^F9?Õ?ºµo¿Î'?G?1zØÙÓ7
?­,Gð?§
0ë÷< ÜrFî¥È[ÃÉViLÅÁ?{Õ?¼ïÃH>F` ?*Ր¶Í? Ì2Ý·ý@U²PV®ÌwMÇ M§1vïh??V²­i£RÐËÄ#=?þLèc?Æ?ö1öÒúåvݵ?£IÍÍ
ÍhÍ©iº£ë
?¤ ¦Á ÅÑFLmÒ¬f???à?Ô6ÿ"YÅù`¨_}òö%BaÄJ¸>?

0
 *?H?÷


?

4&<ÀMCI½é!?×f?·ÞŸÐä]_v"À&ù?::ù?µûì`ñèΰÈݧ0ó?ߤæ¤1ßÓFÜr
?®î<¤3?9¬pxsK?+ß0ÂT°¨;U¡þ(ÍB½tn?Û'D§ÎD]Ԑ?
B?±,Ðt£"ccÍ?µûÁmbkiuý]pA¹õ¿|ß¾Á2s"!?X{?zºãdH°û6%Ú?Ðñ$Ý?kF#9Tõ?
b ?¦?æ%âBEª¸­¾©B?Ïr9á±Cà(Ï·çZlkI³ÿã|??3]¬3קùÚ:UÉXùªïZ¶ÏKKß*0?
û0?ã 
3
Õ|5k³,s?IâL2Ï0
 *?H?÷


0?

10 UUS1402U
+International Business Machines Corporation10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)091503U,Class 2 Managed PKI Individual Subscriber CA1'0%UIBM Certification Authority G20
140814000000Z
150814235959Z0?1.0,U
%International Business Machines Corp.1 0UFederick Joe P. Fajardo10
?&??ò,d

 123993PH11$0" *?H?÷


fjpfajardo (at) ph.ibm (dot) com0 [email concealed]?0
 *?H?÷



0?Ú5Åú}«{Y-X;Z7ÖÕµ?aA[p¿hõ?¢F©ØaÝ1-¡sסLjo¾^ð?ô?(H¨C­
©Ë¡]ÔÔ}?®F¥_[}Ôí?ÏËnÔ5?2
;_ò­âNÇX<gw?YC?½Cwã®&eÜ?äåw?àîÜÔª{ ÿ

£?\0?X0 U00U 0mUf0d0b ` ^?\http://onsitecrl.verisign.com/In
ternationalBusinessMachinesCorpCorporateCIO/LatestCRL-G2.crl0?
)U ?
0?
0?
`?H
?øE
0?
0++

https://www.verisign.com/rpa-kr0
×+
0ÊÇNotice Text=NOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr0U#0?¶$Þý{¸ð?W?mٍò?:[ä0U
?ÐýÇ7ãÀ+JÐ??5·½Â00U)0' %
+

?7 fjpfajardo (at) ph.ibm (dot) com0 [email concealed]U%0+
+
0 `?H
?øB

 0
 *?H?÷


?

E6ì?O ?õ(?ºó ÏXÝv­¬ý}náz¸
4?3ûÇ ?û???7ì?^DJÔCඏ?qj
Ý4ÊoQu??ù£îjãQÜÚ??ÊU|íJpþIfäOn¼??· ?Je/ÑÎ??°ë¨×@éݧr9[¹ùv}Brej×·,D
Á4??uÁ@ë¾2®ZäI*ÏMH²²*F
SÕ»ÕÞ&?ò&øj´x÷?Þ?ØÄ? `?ÍLë/­ õí%ü;J¨??*¸ÑYu?;ÛÂÄÏtÖ¤Ø$z?}7°?i¢üA`ÚлÃ0?û0?ã 
3
Õ|5k³,s?
IâL2Ï0
 *?H?÷


0?

10 UUS1402U
+International Business Machines Corporation10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)091503U,Class 2 Managed PKI Individual Subscriber CA1'0%UIBM Certification Authority G20
140814000000Z
150814235959Z0?1.0,U
%International Business Machines Corp.1 0UFederick Joe P. Fajardo10
?&??ò,d

 123993PH11$0" *?H?÷


fjpfajardo (at) ph.ibm (dot) com0 [email concealed]?0
 *?H?÷



0?Ú5Åú}«{Y-X;Z7ÖÕµ?aA[p¿hõ?¢F©ØaÝ1-¡sסLjo¾^ð?ô?(H¨C­
©Ë¡]ÔÔ}?®F¥_[}Ôí?ÏËnÔ5?2
;_ò­âNÇX<gw?YC?½Cwã®&eÜ?äåw?àîÜÔª{ ÿ

£?\0?X0 U00U 0mUf0d0b ` ^?\http://onsitecrl.verisign.com/In
ternationalBusinessMachinesCorpCorporateCIO/LatestCRL-G2.crl0?
)U ?
0?
0?
`?H
?øE
0?
0++

https://www.verisign.com/rpa-kr0
×+
0ÊÇNotice Text=NOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr0U#0?¶$Þý{¸ð?W?mٍò?:[ä0U
?ÐýÇ7ãÀ+JÐ??5·½Â00U)0' %
+

?7 fjpfajardo (at) ph.ibm (dot) com0 [email concealed]U%0+
+
0 `?H
?øB

 0
 *?H?÷


?

E6ì?O ?õ(?ºó ÏXÝv­¬ý}náz¸
4?3ûÇ ?û???7ì?^DJÔCඏ?qj
Ý4ÊoQu??ù£îjãQÜÚ??ÊU|íJpþIfäOn¼??· ?Je/ÑÎ??°ë¨×@éݧr9[¹ùv}Brej×·,D
Á4??uÁ@ë¾2®ZäI*ÏMH²²*F
SÕ»ÕÞ&?ò&øj´x÷?Þ?ØÄ? `?ÍLë/­ õí%ü;J¨??*¸ÑYu?;ÛÂÄÏtÖ¤Ø$z?}7°?i¢üA`ÚлÃ0?l0?T 
µø½æw*Çl
vx?øC0
 *?H?÷


0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G30
090707000000Z
190706235959Z0?

10 UUS1402U
+International Business Machines Corporation10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)091503U,Class 2 Managed PKI Individual Subscriber CA1'0%UIBM Certification Authority G20?
"0
 *?H?÷



?
0?

?

»?Ë%\®ìlÜ13cYøuƲýû<!÷?J
:
ih_ *üj;æ?FsBt°y$Ý?ý?¦crÃc~Q.fqiCõ?Kp??3gu¡v?¹CÃQ²ÿB¥JÓa Øh??Ð
ú_­p?Û¿ã3gìTàOUd7ýDhy²Ùþ?F­?Ý`.Ç¿ßý¿?}a#2ÖÐ?Î
®´T»OúñãÍt¡=â «~edæ4ÕBºè$¹? O/8eîó¾Ê¹ô^?±}SpÃÖ?\yµq¡YI=6ää?¥A?mwé£?[Dî?ɧ=sX'?cÖ¸ÍdÆK

£?0
?0U

ÿ0

ÿ
0pU i0g0e`?H
?øE
0V0(+

https://www.verisign.com/cps0*+

0https://www.verisign.com/rpa04U-0+0) ' %?#http://crl.verisig
n.com/pca2-g3.crl0U

ÿ
0.U'0%¤#0!10UPrivateLabel4
-2048-1300U¶$Þý{¸ð?W?mٍò?:[ä0ðU#è0å¡Ð¤Í0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G3?apËI?_?E)ç°¦ÙP[z0
 *?H?÷


?

Pȱc,¶?b2Ø
+þ%¤?ö'A
©lÚ·;çA:§N×tS»(@6¹%\¨¢rÉF#áÁÔ)¹`¢æ?ë?Gæ ?ÃC?¥(Àt{¿H0G"?¶?Aë«xhþê?ãðê´?è!¶µÕùú=?
r>ïÍ1×ʧ5@ÚüàéqE¬!£¼ã?þ?hWþ×\ã´Z¢ì?^ÆXXB?"Â?Pê¤
ä9Q$p?D>? ± â¥WWs6%Ò
jâ»°?Q®Z?#ùÅÉáñ#NYùì7´IêùJ
E§°kIÝÕ˹ Ð?gÒ¨Ý?fÞV?0?l0?T 
µø½æw*Çlvx?øC0
 *?H?÷


0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G30
090707000000Z
190706235959Z0?

10 UUS1402U
+International Business Machines Corporation10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)091503U,Class 2 Managed PKI Individual Subscriber CA1'0%UIBM Certification Authority G20?
"0
 *?H?÷



?
0?

?

»?Ë%\®ìlÜ13cYøuƲýû<!÷?J
:
ih_ *üj;æ?FsBt°y$Ý?ý?¦crÃc~Q.fqiCõ?Kp??3gu¡v?¹CÃQ²ÿB¥JÓa Øh??Ð
ú_­p?Û¿ã3gìTàOUd7ýDhy²Ùþ?F­?Ý`.Ç¿ßý¿?}a#2ÖÐ?Î
®´T»OúñãÍt¡=â «~edæ4ÕBºè$¹? O/8eîó¾Ê¹ô^?±}SpÃÖ?\yµq¡YI=6ää?¥A?mwé£?[Dî?ɧ=sX'?cÖ¸ÍdÆK

£?0
?0U

ÿ0

ÿ
0pU i0g0e`?H
?øE
0V0(+

https://www.verisign.com/cps0*+

0https://www.verisign.com/rpa04U-0+0) ' %?#http://crl.verisig
n.com/pca2-g3.crl0U

ÿ
0.U'0%¤#0!10UPrivateLabel4
-2048-1300U¶$Þý{¸ð?W?mٍò?:[ä0ðU#è0å¡Ð¤Í0Ê10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G3?apËI?_?E)ç°¦ÙP[z0
 *?H?÷


?

Pȱc,¶?b2Ø
+þ%¤?ö'A
©lÚ·;çA:§N×tS»(@6¹%\¨¢rÉF#áÁÔ)¹`¢æ?ë?Gæ ?ÃC?¥(Àt{¿H0G"?¶?Aë«xhþê?ãðê´?è!¶µÕùú=?
r>ïÍ1×ʧ5@ÚüàéqE¬!£¼ã?þ?hWþ×\ã´Z¢ì?^ÆXXB?"Â?Pê¤
ä9Q$p?D>? ± â¥WWs6%Ò
jâ»°?Q®Z?#ùÅÉáñ#NYùì7´IêùJ
E§°kIÝÕ˹ Ð?gÒ¨Ý?fÞV?1??0??

0?
0?

10 UUS1402U
+International Business Machines Corporation10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)091503U,Class 2 Managed PKI Individual Subscriber CA1'0%UIBM Certification Authority G23
Õ|5k³,s?IâL2Ï0 + ?
Ò0 *?H?÷

1 *?H?÷


0 *?H?÷

1
150624175651Z0# *?H?÷

1ñòö??Ï?,?:&?ÅÕ0C *?H?÷

16040+0*?H?÷
?0
*?H?÷
0
*?H?÷

(0?
,*?H?÷

1?
 ?
0?

10 UUS1402U
+International Business Machines Corporation10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)091503U,Class 2 Managed PKI Individual Subscriber CA1'0%UIBM Certification Authority G23
Õ|5k³,s?IâL2Ï0
 *?H?÷



?»pä?Ã?ô$i¾ÇkçÀËReâÇ2?×E??¢% ê:û?ÆYîUýÑyãiÄ迧4?"?qÐÙÿdìµÊÃ???ÄÝ?ܐ?£K{?I
,w1¤h|?U)??òñ·°O²\2א½ð*¹_ðÀ¥ñ¡(fv

[ reply ]