Shenzhen TVT Digital Technology Command Injection Vulnerability in NVMS-9000 Firmware Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in the NVMS-9000 firmware by Shenzhen TVT Digital Technology Co., Ltd. This firmware is commonly used in various white-labeled DVR, NVR, and IPC products. The vulnerability arises from hardcoded API credentials that grant unauthorized access to certain web endpoints. The web interface accepts HTTP/XML requests authenticated with these fixed credentials and fails to properly sanitize user-controlled input before executing it in a shell context. As a result, an unauthenticated remote attacker can exploit this flaw to execute arbitrary commands with root privileges. Additionally, some affected models can be accessed through a proprietary TCP service on port 4567, which also allows for command injection. Firmware releases from mid-February 2018 and later are reported to have fixed this issue.

Impact

Exploitation of this vulnerability leads to unauthorized command execution with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/doLogin' endpoint, using the hardcoded credentials 'admin:{12213BD1-69C7-4862-843D-260500D1DA40}' for authentication. After successful login, commands can be injected through XML parameters in requests to the '/editBlackAndWhiteList' endpoint. The same command injection can be achieved through the TCP service on port 4567, by sending base64-encoded XML payloads with a magic GUID prefix.

Remediation

Users are advised to update to the latest firmware version available from TVT or their local partners. Instructions for upgrading are provided on the TVT website.