Peekaboo Zero-Day Vulnerability Allows Hacking of Surveillance Cameras

  • 219
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    219
    Shares

iOT based security cameras from various vendors invites opportunities for flaws. Recently, researchers have discovered a similar vulnerability that allows hacking of surveillance cameras. By exploiting this “Peekaboo zero-day vulnerability” in the NUUO software, an attacker could remotely execute arbitrary commands.

Vulnerabilities In NUUO Software Allows Hacking Surveillance Cameras

Researchers from cybersecurity firm Tenable have discovered two vulnerabilities in video management software NUUO that allow hacking of surveillance cameras. As stated on their website, NUUO enjoys over 100,000 installations worldwide. Hence, one can imagine the massive impact of the vulnerabilities reported by Tenable.

Reportedly, researchers have found two different flaws in the NUUO security system for which they have provided a POC as well in their report. These vulnerabilities particularly affect the NVRMini2 – a network-attached storage and video recording device. One of these vulnerabilities, “The Mystery of the Backdoor” (CVE-2018-1150) is a Medium severity rated flaw developed due to “leftover debug code”. Explaining this vulnerability, the researchers state,

“If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely.”

To exploit this vulnerability, an attacker needs to create file “/tmp/moses” which may require exploiting another vulnerability.

Peekaboo – A Zero-Day RCE Vulnerability

The other vulnerability, which is significantly important, is a zero-day vulnerability named “Peekaboo”. This vulnerability (CVE-2018-1149) holds a Temporal Score of 8.6 with a “Critical” severity rating. It is an “unauthenticated stack buffer overflow” vulnerability that allows remote code execution by the attacker. Jacob Baines, Tenable’s Senior Research Engineer, has developed the proof-of-concept demonstrating this flaw.

About the Peekaboo zero-day vulnerability, the researchers explain,

“The NVRMini2 uses an open-source web server that supports some executable binaries via the common gateway interface (CGI) protocol. One of the CGI binaries that can be executed on the NVRMini2 is ‘cgi_system’ and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated.

During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.”

As explained in the Tenable’s blog post, this critical vulnerability can allegedly give complete access to the surveillance system. This includes accessibility to the CMS and accessing CCTV cameras’ credentials.

Patch Awaited From NUUO

As reported, Tenable informed NUUO of the vulnerabilities on June 5, 2018, setting up a coordinated disclosure on September 17, 2018. After the reports, NUUO has patched the vulnerability in the version 3.9.0.1 which will be available soon.

Until then, Tenable recommends that users restrict network access control to limited and authorized personnel only. They have also shared dedicated plugins to identify the vulnerability within NUUO products.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!