Exploit code for vulnerabilities allegedly dating back to 2016 has also been released
A critical “zero-day” vulnerability in a network video recording device made by NUUO has been made public as researchers claim the unpatched issue could lead to remote code execution (RCE).
discoverer Pedro Ribeiro, founder of Agile Information Security, these issues are said to have been present in NUUO NVRmini2 devices since 2016.
The NVRmini2 is a network video recorder (NVR) from Taiwanese supplier NUU capable of recording and storing security footage in digital format.
Read more of the latest zero-day vulnerability news
Ribeiro the claims he disclosed Command injection and stack overflow vulnerabilities in NVRmini2 six years ago. At the time, Ribeiro said the product had a “terrible safety profile” — if his claims were true, then nothing was better.
“Both of the vulnerabilities disclosed were discovered in my 2016 audit,” Ribeiro told daily swig“However, I found so many other bugs at the time that I actually forgot to report them – until 2019 when I rediscovered my notes and reported them to them.”
unpatched issues
as Documented on GitHub, apparently with two unpatched vulnerabilities. The first, which has not yet been assigned a CVE but is considered critical, is an authentication method missing from a critical feature in the NVRmini2 firmware.
Ribeiro claims that the functionality of every firmware version up to and including the latest version lacks sufficient protection to prevent unauthenticated users from accessing the script.
The second alleged vulnerability was the use of an older version of BusyBox, a Unix utility package.This release is affected by a series of bugs, including CVE-2011-5325, a path traversal vulnerability that allows a remote attacker to point to files outside the current working directory.
By abusing the HTTP POST mechanism and crafting a malicious tar archive, Ribeiro said it was possible to chain an exploit to drop the webshell and execute commands as root.
you might also like Introduced Bug Alert, an early warning system for supercritical zero-day vulnerabilities
In addition to the disclosure, the researchers also released a Metasploit module that wraps the exploit chain described in the announcement.
The proof-of-concept (PoC) code is said to work on most firmware versions, with the exception of versions prior to version 2.0.0 – although alternative technologies can be used on older software versions.
At the time of writing, the vulnerabilities on the latest firmware version v.03.11.0000.0016 remain unpatched, despite the researcher’s claims that he has attempted to disclose the vulnerabilities several times. There is no official fix available.
reduce risk
The researchers recommend that NVRmini2 device owners keep their products away from untrusted networks to reduce the risk of exploitation.
Other than that, using Ribeiro’s own exploit and removing the feature might fix the problem, but that’s not guaranteed.
“In the disclosure process, even after many attempts, they didn’t seem to really understand the vulnerability,” Ribeiro commented.
“We explained it to them several times and they seemed to be completely clueless. They were very nice and pleasant in their manners and the way they treated us, but technically clueless.”
daily swig NUUO has been contacted for comment but has not received a response by the time of publication. We will update this article when we hear back.
admired GitLab shifts left to patch high-impact vulnerabilities
