AVTECH IP Cameras, DVRs, and NVRs Unauthenticated Information Disclosure Vulnerability

A vulnerability allowing unauthenticated access to sensitive internal device information exists in AVTECH IP cameras, DVRs, and NVRs. This issue can be exploited via the 'Machine.cgi?action=get_capability' request, which discloses details such as the firmware version, MAC address, and codec support without requiring authentication.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive device information, including firmware versions, MAC addresses, and supported codecs.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/cgi-bin/nobody/Machine.cgi' with the 'action=get_capability' parameter. This request can be made without any authentication, and the response will include sensitive information such as the firmware version, MAC address, and product type.