← Advisories

NUUO Local File Disclosure Vulnerability

Medium
Advisory ID
ZSL-2016-5350
Release Date
06 August 2016
Vendor
NUUO Inc. - http://www.nuuo.com
Affected Version
<=3.0.8 (NE-4160, NT-4040)
CVE
N/A
Tested On
GNU/Linux 3.0.8 (armv7l), GNU/Linux 2.6.31.8 (armv5tel), lighttpd/1.4.28, PHP/5.5.3
Summary

NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always.

Description

NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script is not properly verified before being used to include files. This can be exploited to disclose contents of files from local resources.

Proof of Concept
nuuo_lfd.txtTXT
Disclosure Timeline
14.01.2016Vulnerability discovered.
01.02.2016Vendor contacted.
02.02.2016Vendor responds asking explanation.
03.02.2016Explained to vendor about the issues and risk.
04.02.2016Vendor ignores with confusion.
10.02.2016Sent another e-mail probe to several accounts for respond.
16.02.2016No response from the vendor.
16.04.2016Final try to get communication from the vendor and report issues.
05.08.2016No response from the vendor.
06.08.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40211/
[2]https://cxsecurity.com/issue/WLB-2016080065
[3]https://packetstormsecurity.com/files/138222
Changelog
06.08.2016Initial release
09.08.2016Added reference [1], [2] and [3]