A couple of months ago, a zero-day vulnerability, named Peekaboo, threatened NUUO surveillance cameras. The vulnerability could allow an attacker to take control of the cameras and execute arbitrary code. While the vendors patched the flaw that time, they suffered another zero-day vulnerability once again. This time, the bug hit the then patched firmware version of NUUO NVRmini2 cameras.
Zero-Day Vulnerability Allows Taking Control Of NUUO Cameras
Researchers at Digital Defense, Inc. have discovered a zero-day vulnerability in NUUO surveillance cameras. The vulnerability allegedly affected the NVRmini2 cameras and could allow an attacker to execute arbitrary commands.
Reportedly, the DD’s Vulnerability Research Team (VRT) found a remote stack overflow vulnerability in NUUO NVRmini2 Network Video Recorder. Describing the flaw in their security advisory, they stated,
“Sending a crafted GET request to the affected service with a URI length of 351 or greater will trigger the stack overflow. Overflowing of the stack variable, which is intended to hold the request data, results in the overwriting of stored return addresses, and with a properly crafted payload, can be leveraged to achieve arbitrary code execution.”
As disclosed by the researchers, exploiting this vulnerability could allow an attacker for arbitrary code execution with root privileges. It means a potential attacker could gain complete control of the camera and can perform any actions, including tampering the videos.
The zero-day flaw allegedly affected NUUO NVRmini2 firmware 3.9.1 and earlier versions.
An Insufficiently Patched Critical Vulnerability Also Discovered
In addition to the above, researchers at Tenable also found an insufficiently patched vulnerability still in the wild. The vulnerability CVE-2018-14933, originally discovered in July 2018, could allow remote code execution attacks. According to its description,
“upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.”
The complete POC for the vulnerability is available here.
As reported, NUUO tried to patch the flaw by enforcing authentication on upgrade_handle.php, and also attempted to filter uploaddir variables. Nonetheless, Tenable discovered a way to bypass the fix.
“If a remote authenticated attacker set uploaddir to “|| whoami” then it would bypass the filter and the “whoami” command would be executed…”
Thus, a potential attacker could still find a way to “send crafted requests to upgrade_handle.php to execute OS commands as root”. The bypass flaw has received a CVE number CVE-2018-15716 whilst achieving a critical severity rating with a CVSS score of 9.0.
Tenable found that the vulnerability potentially affected all NUUO NVRMini2 versions including and prior to 3.9.1.
Patched Firmware of NVRMini2 NUUO Surveillance Cameras Released
The vendors previously released the version NVRMini2 3.9.1 after another remote code execution flaw targeted earlier versions. Now, the newly discovered zero-day vulnerability affected the recent firmware version as well. Regarding the cause of the occurrence of this flaw, the researchers stated,
“Improper sanitization of user-supplied inputs and lack of length checks on data used in unsafe string operations on local stack variables.”
As confirmed by Digital Defense in their report, NUUO has patched the vulnerability promptly in its latest firmware version 3.10.0. Moreover, Tenable also confirmed that the vendors have patched the critical vulnerability discovered by their researchers in the firmware v.3.10.0. The users can, hence, protect their surveillance systems from this vulnerability by downloading the latest firmware from the vendor’s website.