CVE-2018-10770 – This vulnerability allows remote attackers to d... (How to Fix)

Q: What is the severity of CVE-2018-10770?

CVE-2018-10770 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to download the configuration file of ShenZhen Anni '5 in 1 XVR' devices without authentication, exposing administrative passwords. It affects all users of these specific XVR devices with the vulnerable download.rsp endpoint exposed. Attackers can gain full control of the devices by obtaining credentials.

📋 TL;DR

This vulnerability allows remote attackers to download the configuration file of ShenZhen Anni '5 in 1 XVR' devices without authentication, exposing administrative passwords. It affects all users of these specific XVR devices with the vulnerable download.rsp endpoint exposed. Attackers can gain full control of the devices by obtaining credentials.

💻 Affected Systems

Products:

ShenZhen Anni '5 in 1 XVR' devices

Versions: All versions with vulnerable download.rsp endpoint

Operating Systems: Embedded Linux/RTOS on XVR devices

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with web interface accessible. Specific firmware versions not documented in available references.

📦 What is this software?

5 In 1 Xvr Firmware by Annigroup

View all CVEs affecting 5 In 1 Xvr Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of XVR device leading to surveillance system takeover, video feed interception, device manipulation, and potential lateral movement to connected networks.

🟠

Likely Case

Unauthorized access to XVR configuration, password theft, and device compromise allowing attackers to view/manipulate surveillance feeds.

🟢

If Mitigated

Limited to attempted access logs if proper network segmentation and authentication controls are implemented.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication via exposed web interface.

🏢 Internal Only: HIGH - Still exploitable from internal networks without authentication requirements.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP GET request to download.rsp endpoint retrieves configuration file containing credentials. Multiple GitHub repositories contain exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not found in provided references

Restart Required: No

Instructions:

No official patch available. Contact ShenZhen Anni for firmware updates or replacement recommendations.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate XVR devices from internet and restrict internal network access

Access Control Lists

linux

Implement firewall rules to block external access to XVR web interface

iptables -A INPUT -p tcp --dport 80 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Disable or block access to download.rsp endpoint via web server configuration if possible
Change all device passwords immediately and implement strong password policies

🔍 How to Verify

Check if Vulnerable:

Attempt HTTP GET request to http://[device_ip]/download.rsp. If configuration file downloads without authentication, device is vulnerable.

Check Version:

Check device web interface or physical label for firmware version. No standard command available.

Verify Fix Applied:

Verify download.rsp endpoint requires authentication or returns error when accessed without credentials.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /download.rsp from unauthorized IPs
Multiple failed login attempts followed by configuration download

Network Indicators:

Unusual outbound connections from XVR devices
HTTP requests to download.rsp from external IPs

SIEM Query:

sourceIP=external AND destinationPort=80 AND urlPath="/download.rsp"

📊 Metadata

CVE ID: CVE-2018-10770

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: May 9, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/D0neMkj/EXP_IOT/blob/master/CAMERA/XVR_camera/readme Third Party Advisory
https://github.com/D0neMkj/EXP_IOT/tree/master/CAMERA/XVR_camera Exploit,Third Party Advisory
https://github.com/D0neMkj/EXP_IOT/blob/master/CAMERA/XVR_camera/readme Third Party Advisory
https://github.com/D0neMkj/EXP_IOT/tree/master/CAMERA/XVR_camera Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10770, you might also want to check these: