SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP Multiple products DVR admin password leak attempt
This event is generated when an attacker attempts to leak the admin password from various DVR web-apps.
Attempted User Privilege Gain
Rule checks for attempts to leak the admin password from various DVR web-apps.
Ease of Attack:
What To Look For
This rule fires on attempts to leak passwords for TBK DVR4104 DVR4216 devices.
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
Tactic: Credential Access
Technique: Credential Dumping
For reference, see the MITRE ATT&CK vulnerability types here:
Information Leakage happens when an attacker manipulates a system into revealing sensitive information, either through malformed input or by taking advantage of another feature of the system.
CVE Additional Information
CVE-2018-9995TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
||Ease of Access||