Rifatron Intelligent Digital Security System DVR Unauthenticated Live Stream Disclosure Vulnerability

An unauthenticated vulnerability has been identified in the Rifatron 5brid and 7brid DVR models, specifically within the animate.cgi script. This vulnerability allows unauthorized access to live video streams through the Mobile Web Viewer module. By specifying channel numbers, attackers can retrieve sequential video snapshots without authentication. The affected DVRs include various models within the 5brid and 7brid series, running firmware versions through 8.0 (000143).

Impact

Exploitation of this vulnerability leads to unauthorized access to live video streams, allowing for the interception and storage of video data.

Reproduction

To reproduce this vulnerability, access the animate.cgi script via the Mobile Web Viewer module. Specify a channel number between 0 and 15 to request video snapshots. The snapshots can be saved and compiled into a video using tools like ffmpeg.