Don't run plain text CGI commands remotely

Any major updates coming, Upcoming Software, General Security advice for others and topics alike Post them here so other users can chat with you.
Post Reply
User avatar
Revo2Maxx
Site Admin
Posts: 5820
Joined: Sat Jun 15, 2019 3:05 pm

Don't run plain text CGI commands remotely

Post by Revo2Maxx »

Hello all,

So I know that it is something that has gone out there some time back, Personally I have not looked much into things until a few months ago and I started doing some deep learning on my Amcrest Devices and finding out some alarming things..

So one of the Commands would look like these
http://10.0.0.225/cgi-bin/Config.backup?action=All

http://10.0.0.225/cgi-bin/configManager ... g&name=All

Don't mind the IPs they are of my 4116E-HS NVR. Anyway I have been doing some digging around after I found some interesting things out about my Devices. One if you are outside your network and you make a connection to your lan over a WAN connection someone might be listening to your traffic. It could be though your hotel/motel or coffee shop or however or where ever your making a connection remotely.

Running the commands above can make someone life very unhappy if someone is Sniffing out your traffic. Let's say your on your system doing some work with one of your POE cameras, Make some adjustments and thought ok lets use the first CGI above to backup the cameras config. Someone watching your traffic lets say sees your connection to the connected port of 10081 and so they keep digging and after a big traffic dump they follow all traffic of that dump it will now have all your data for your camera, like any and all passwords stored.

So take for instance, someone in your home area is sniffing your Wifi and was able to get in to sniff your data and you ran this command on a any of the NVR's like my 4116E-HS, or my 4216E-AI and many of my other devices, it will not only give out all the passwords to every camera you have connected, but if your using a DDNS server, or Email server, and so much more data that will come over in pure plain text and with 2 clicks within a Sniffer someone can look at all data returned just as it was saved to your computer

So personally I wouldn't use the commands unless you know 100% there is no one watching because it gives way to much data.

Think of it like this. Someone with older Cameras like I do, That has many different passwords and a even some same as my main NVR passwords running this command will transmit all passwords to the config backup file and now anyone sniffing has just complied more info then you ever wanted to be out there..

Safest way to make a connection is P2P remove the NVR's from being open to the Internet via IP address and use ASP with P2P for your Remote Connections
Here to help the best I can.
Be Safe
User avatar
Revo2Maxx
Site Admin
Posts: 5820
Joined: Sat Jun 15, 2019 3:05 pm

Re: Don't run plain text CGI commands remotely

Post by Revo2Maxx »

Just to clear some things up. I had someone say that sending the CGI is same as logging into the Recorders seeing they are not setup with https and that isn't true. While I am not 100% sure but from what little research into the log in of the WebUI it is done very different then having the Plain Text being returned from the CGI. Amcrest has it setup for the WebUI to Encrypt the password being sent to the NVR from the device connecting to the NVR.

Now don't want to say that all Machines are Equal either. My 4116E-HS with 4.0 FW installed and with the latest update, does have so much JUNK traffic on doing a login and while it isn't anything of importance there is still a mess. When I log into my 4216E-AI NVR that has the 4.0 FW installed it don't return all the junk that the 4116E-HS did. I also tested this under IE and Chrome and both had same results for the 2 recorders. I have not looked at any other info from the likes of my 7108-AI DVR or older machines yet. I just know that CGI and log in are 2 different things in what the Data passing.
Here to help the best I can.
Be Safe
Post Reply