According to a research advisory from Tenable Security, there are a set of exploitable vulnerabilities in NUUO CCTV cameras that include a zero-day. NUUO is a leading supplier of CCTV technology for a wide range of industries, and as such, it is estimated that up to 800,000 devices are at risk for attack as a result of the zero-day. Tenable has named the critical vulnerability “Peekaboo” due to the fact that, via remote code execution, attackers can hijack NUUO CCTV feeds and tamper with the recordings.
There are two vulnerabilities at play that allow for this level of attack, and both of them are in NUUO’s Network Video Recorder software. (CVE-2018-1149) is an unauthenticated stack buffer overflow which allows for the remote code execution. According to the analysis provided by Tenable, the buffer overflow is caused by the following:
One of the CGI binaries that can be executed on the NVRMini2 is ‘cgi_system’ and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated. During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.
The second vulnerability that allows for the attack is (CVE-2018-1150), which is a backdoor. As Tenable explains, the backdoor is leftover code:
If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system, and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely.
NUUO is reportedly working on a patch that will be released as soon as possible. As long as a patch is not available, Tenable recommends staying in contact with NUUO and also restricting network access as much as possible.
Featured image: Flickr / opengridscheduler