iOT based security cameras from various vendors invites opportunities for flaws. Recently, researchers have discovered a similar vulnerability that allows hacking of surveillance cameras. By exploiting this “Peekaboo zero-day vulnerability” in the NUUO software, an attacker could remotely execute arbitrary commands.
Vulnerabilities In NUUO Software Allows Hacking Surveillance Cameras
Researchers from cybersecurity firm Tenable have discovered two vulnerabilities in video management software NUUO that allow hacking of surveillance cameras. As stated on their website, NUUO enjoys over 100,000 installations worldwide. Hence, one can imagine the massive impact of the vulnerabilities reported by Tenable.
Reportedly, researchers have found two different flaws in the NUUO security system for which they have provided a POC as well in their report. These vulnerabilities particularly affect the NVRMini2 – a network-attached storage and video recording device. One of these vulnerabilities, “The Mystery of the Backdoor” (CVE-2018-1150) is a Medium severity rated flaw developed due to “leftover debug code”. Explaining this vulnerability, the researchers state,
“If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely.”
To exploit this vulnerability, an attacker needs to create file “/tmp/moses” which may require exploiting another vulnerability.
Peekaboo – A Zero-Day RCE Vulnerability
The other vulnerability, which is significantly important, is a zero-day vulnerability named “Peekaboo”. This vulnerability (CVE-2018-1149) holds a Temporal Score of 8.6 with a “Critical” severity rating. It is an “unauthenticated stack buffer overflow” vulnerability that allows remote code execution by the attacker. Jacob Baines, Tenable’s Senior Research Engineer, has developed the proof-of-concept demonstrating this flaw.
About the Peekaboo zero-day vulnerability, the researchers explain,
“The NVRMini2 uses an open-source web server that supports some executable binaries via the common gateway interface (CGI) protocol. One of the CGI binaries that can be executed on the NVRMini2 is ‘cgi_system’ and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated.
During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.”
As explained in the Tenable’s blog post, this critical vulnerability can allegedly give complete access to the surveillance system. This includes accessibility to the CMS and accessing CCTV cameras’ credentials.
Patch Awaited From NUUO
As reported, Tenable informed NUUO of the vulnerabilities on June 5, 2018, setting up a coordinated disclosure on September 17, 2018. After the reports, NUUO has patched the vulnerability in the version 18.104.22.168 which will be available soon.
Until then, Tenable recommends that users restrict network access control to limited and authorized personnel only. They have also shared dedicated plugins to identify the vulnerability within NUUO products.