Severe zero-day exploit found in NUUO CCTV cameras

According to a research advisory from Tenable Security, there are a set of exploitable vulnerabilities in NUUO CCTV cameras that include a zero-day. NUUO is a leading supplier of CCTV technology for a wide range of industries, and as such, it is estimated that up to 800,000 devices are at risk for attack as a result of the zero-day. Tenable has named the critical vulnerability “Peekaboo” due to the fact that, via remote code execution, attackers can hijack NUUO CCTV feeds and tamper with the recordings.

There are two vulnerabilities at play that allow for this level of attack, and both of them are in NUUO’s Network Video Recorder software. (CVE-2018-1149) is an unauthenticated stack buffer overflow which allows for the remote code execution. According to the analysis provided by Tenable, the buffer overflow is caused by the following:

One of the CGI binaries that can be executed on the NVRMini2 is ‘cgi_system’ and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated. During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.

The second vulnerability that allows for the attack is (CVE-2018-1150), which is a backdoor. As Tenable explains, the backdoor is leftover code:

If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system, and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely.

NUUO is reportedly working on a patch that will be released as soon as possible. As long as a patch is not available, Tenable recommends staying in contact with NUUO and also restricting network access as much as possible.

Featured image: Flickr / opengridscheduler

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

2 days ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

2 days ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

2 days ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

3 days ago

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

3 days ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

3 days ago