Severe zero-day exploit found in NUUO CCTV cameras

According to a research advisory from Tenable Security, there are a set of exploitable vulnerabilities in NUUO CCTV cameras that include a zero-day. NUUO is a leading supplier of CCTV technology for a wide range of industries, and as such, it is estimated that up to 800,000 devices are at risk for attack as a result of the zero-day. Tenable has named the critical vulnerability “Peekaboo” due to the fact that, via remote code execution, attackers can hijack NUUO CCTV feeds and tamper with the recordings.

There are two vulnerabilities at play that allow for this level of attack, and both of them are in NUUO’s Network Video Recorder software. (CVE-2018-1149) is an unauthenticated stack buffer overflow which allows for the remote code execution. According to the analysis provided by Tenable, the buffer overflow is caused by the following:

One of the CGI binaries that can be executed on the NVRMini2 is ‘cgi_system’ and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated. During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.

The second vulnerability that allows for the attack is (CVE-2018-1150), which is a backdoor. As Tenable explains, the backdoor is leftover code:

If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system, and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely.

NUUO is reportedly working on a patch that will be released as soon as possible. As long as a patch is not available, Tenable recommends staying in contact with NUUO and also restricting network access as much as possible.

Featured image: Flickr / opengridscheduler

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Diebold Nixdorf ATMs targeted by jackpotting attacks

ATM manufacturer Diebold Nixdorf says its European machines are being hit by jackpotting attacks, where…

13 hours ago

Allow a home computer to connect to your Azure SQL server/database

In these days where remote computing has become crucial, you can connect your home computer…

16 hours ago

Migrating to Microsoft 365? Get the ball rolling with a trial tenant

Many companies still using Exchange Server are thinking of moving to Microsoft 365. You can…

19 hours ago

wpDiscuz WordPress plugin: Critical vulnerability found and patched

Users of the wpDiscuz interactive comment WordPress plugin should implement a new patch as soon…

2 days ago

Data lifecycle management: Policies and procedures for security and compliance

With the amount of electronic information consistently growing, data lifecycle management is crucial for compliance…

2 days ago

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

5 days ago