Shenzhen TVT NVMS-9000 Authentication Bypass and Information Disclosure Vulnerability

An authentication bypass vulnerability has been identified in Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware versions prior to 1.3.4. This vulnerability affects many white-labeled DVR, NVR, and IPC products. By sending a crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated remote attacker can execute privileged administrative query commands without valid credentials. Exploitation of this vulnerability allows access to sensitive information such as administrator usernames and passwords in cleartext, network and service configurations, and other device details. The vulnerable administrative commands include queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg.

Impact

Successful exploitation bypasses authentication and allows unauthorized users to execute administrative commands, leading to unauthorized access to sensitive information and potential administrative control over the device.

Reproduction

The vulnerability can be reproduced by sending a crafted TCP payload to an exposed NVMS-9000 control port. The payload can be crafted to include commands that query sensitive information from the device. This can be done using a simple script that connects to the target device's control port and sends the payload. Once the device responds, the sensitive information can be extracted from the response.

Remediation

Users can contact TVT's technical support to inquire about available patches for this vulnerability. It is also recommended to update to NVMS-9000 version 1.3.4 or later, which is not affected by this vulnerability.