Everfocus EDSR DVR vulnerability

Authentication bypass.

Posted by Andrea Fabrizi on October 12, 2009

The Everfocus EDSR firmware, version 1.4 and older, doesn’t handle correctly users authentication and sessions.

This exploit let you to connect to every remote DVR bypassing the authentication and see the live cams.

The poc is available here.

Note: I discovered this vulnerability on May 2008 and I informed the vendor, but apparently there is no solution at this time.

External ref: http://seclists.org/fulldisclosure/2009/Oct/211