← Advisories

NUUO Remote Root Exploit

Critical
Advisory ID
ZSL-2016-5348
Release Date
06 August 2016
Vendor
NUUO Inc. - http://www.nuuo.com
Affected Version
<=3.0.8
CVE
N/A
Tested On
GNU/Linux 3.0.8 (armv7l), GNU/Linux 2.6.31.8 (armv5tel), lighttpd/1.4.28, PHP/5.5.3
Summary

NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always.

Description

NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from an unauthenticated command injection vulnerability. Due to an undocumented and hidden debugging script, an attacker can inject and execute arbitrary code as the root user via the 'log' GET parameter in the '__debugging_center_utils___.php' script.

/__debugging_center_utils___.php: ------------------------ 1: <?php 2: define("LOG_FILE_FOLDER", "/mtd/block4/log"); 3: 4: function print_file($file_fullpath_name) 5: { 6: $cmd = "cat " . $file_fullpath_name; 7: echo $file_fullpath_name . "\n\n"; 8: system($cmd); 9: } 10: 11: // Make sure program execution doesn't time out 12: // Set maximum script execution time in seconds (0 means no limit) 13: //set_time_limit(0); 14: ?> 15: 16: <html> 17: <head> 18: <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 19: <title>Debugging Center</title> 20: </head> 21: <body> 22: 23: <pre> 24: <?php 25: if (isset($_GET['log']) && !empty($_GET['log'])) 26: { 27: $file_fullpath_name = constant('LOG_FILE_FOLDER') . '/' . basename($_GET['log']); 28: print_file($file_fullpath_name); 29: } 30: else 31: { 32: die("unknown command."); 33: } 34: ?>
Proof of Concept
nuuo_root.pyTXT
nuuo-backdoor.nseNSE
Disclosure Timeline
14.01.2016Vulnerability discovered.
01.02.2016Vendor contacted.
02.02.2016Vendor responds asking explanation.
03.02.2016Explained to vendor about the issues and risk.
04.02.2016Vendor ignores with confusion.
10.02.2016Sent another e-mail probe to several accounts for respond.
16.02.2016No response from the vendor.
16.04.2016Final try to get communication from the vendor and report issues.
05.08.2016No response from the vendor.
06.08.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40209/
[2]https://packetstormsecurity.com/files/138220/NUUO-3.0.8-Remote-Root.html
[3]http://www.vfocus.net/art/20160809/12861.html
Changelog
06.08.2016Initial release
09.08.2016Added reference [1] and [2]
10.08.2016Added reference [3]