Severe zero-day exploit found in NUUO CCTV cameras

According to a research advisory from Tenable Security, there are a set of exploitable vulnerabilities in NUUO CCTV cameras that include a zero-day. NUUO is a leading supplier of CCTV technology for a wide range of industries, and as such, it is estimated that up to 800,000 devices are at risk for attack as a result of the zero-day. Tenable has named the critical vulnerability “Peekaboo” due to the fact that, via remote code execution, attackers can hijack NUUO CCTV feeds and tamper with the recordings.

There are two vulnerabilities at play that allow for this level of attack, and both of them are in NUUO’s Network Video Recorder software. (CVE-2018-1149) is an unauthenticated stack buffer overflow which allows for the remote code execution. According to the analysis provided by Tenable, the buffer overflow is caused by the following:

One of the CGI binaries that can be executed on the NVRMini2 is ‘cgi_system’ and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated. During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.

The second vulnerability that allows for the attack is (CVE-2018-1150), which is a backdoor. As Tenable explains, the backdoor is leftover code:

If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system, and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely.

NUUO is reportedly working on a patch that will be released as soon as possible. As long as a patch is not available, Tenable recommends staying in contact with NUUO and also restricting network access as much as possible.

Featured image: Flickr / opengridscheduler

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Facebook creating deep fakes — and for genuinely good reasons

Deep fakes are a catastrophe waiting to happen. Facebook’s attempt to create a tool that differentiates between real and fake…

2 days ago

Microsoft Intune gets a new streamlined user experience

Microsoft Intune is getting a bunch of new updates that will streamline the administration experience for users of the popular…

2 days ago

SD-WAN: Is this going to be your network of the future?

As businesses evolve into a SaaS/IaaS model for accessing applications, new network technology is crucial. SD-WAN is just such a…

2 days ago

Monitoring Exchange and the rest of your network to avert disasters

What you don’t know about Exchange and your network can come back to bite you. Monitoring Exchange is one way…

3 days ago

Quick tip: Removing warning messages from Azure cmdlets

Warnings are nice, except when they are annoying and unnecessary. Here’s a tip to show you how to remove warning…

3 days ago

Is the Group Policy Central Store still relevant in the age of Windows 10?

Having a Group Policy Central Store in Active Directory made life easier for administrators. But does it still work in…

3 days ago