SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt
This event is generated when a user attempts to run some "cmd" via various DVR web-apps.
Attempted User Privilege Gain
Rule checks for attempts to run some "cmd" via various DVR web-apps.
Ease of Attack:
What To Look For
This rule fires on attempts to execute arbitrary commands on TBK DVR4104 DVR4216 devices.
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
Technique: Execution through API
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2018-9995TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
||Ease of Access||