BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

AVTECH DVR Multiple Vulnerabilities

Disclosed August 28, 2013    Zeroday : 421 days

Vulnerability Description:

CVE-2013-4980 and CVE-2013-4980 permit unauthenticated arbitrary code execution via overflows in the RTSP packet handler and in /cgi-bin/user/Config.cgi respectively. CVE-2013-4982 allows attackers to bypass the CAPTCHA of the administration login console.

Vendors:

AVTECH

Vulnerable Software/Devices:

DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003, and possibly prior versions

Vulnerability Severity:

High

Exploit Availability:

Publicly Available

Exploit Impact:

Remote Code Execution, Security Bypass
Remote Code Execution (CVE-2013-4980 and CVE-2013-4981)
Exploitation of this vulnerability is possible by forming a malicious request and sending it to the affected server. Remote attackers who successfully exploit this vulnerability will be able to execute arbitrary commands on the vulnerable system with the same rights as the web service.

Security Bypass (CVE-2013-4982)
This vulnerability allows an attacker to bypass the CAPTCHA protection mechanism, allowing the attacker to automate attacks that would normally be blocked by the CAPTCHA.

BeyondTrust Prevention and Detection:

 

Mitigation:

No mitigation is currently available.

Links:

CVE(s):