NUUO Multiple OS Command Injection Vulnerabilities

Title: NUUO Multiple OS Command Injection Vulnerabilities
Advisory ID: ZSL-2016-5351
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 06.08.2016
Summary
NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always.

NUUO Titan NVR is NUUO's Linux-based open platform recording solution. It is built on Linux Foundation, with cross-platform Windows and MAC client software. It supports up to 64 channels of megapixel recording with 250 Mbps throughput. It also comes with a myriads of features that will sure to fulfill even the most demanding projects. Supports over 2300 camera models from over 100 vendors.
Description
NUUO NVRmini, NVRmini2, Crystal, NVRSolo and NVRTitan suffers from multiple authenticated OS command injection vulnerabilities. This can be exploited to inject and execute arbitrary shell commands as the root user.
Vendor
NUUO Inc. - http://www.nuuo.com
Affected Version
<=3.0.8 (NE-4160, NT-4040, NT-4040(R))
DP: <=04.07.0000.0030, <=04.03.0000.0035
FW: <=02.02.00, <=1.7.0
Tested On
GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
lighttpd/1.4.35
PHP/5.5.3
PHP/5.6.0
Vendor Status
[14.01.2016] Vulnerability discovered.
[01.02.2016] Vendor contacted.
[02.02.2016] Vendor responds asking explanation.
[03.02.2016] Explained to vendor about the issues and risk.
[04.02.2016] Vendor ignores with confusion.
[10.02.2016] Sent another e-mail probe to several accounts for respond.
[16.02.2016] No response from the vendor.
[16.04.2016] Final try to get communication from the vendor and report issues.
[05.08.2016] No response from the vendor.
[06.08.2016] Public security advisory released.
PoC
nuuo_cmdinj.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/138223
[2] https://cxsecurity.com/issue/WLB-2016080066
[3] https://www.exploit-db.com/exploits/40212/
Changelog
[06.08.2016] - Initial release
[09.08.2016] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk