Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder

Tenable Research has discovered a critical vulnerability named Peekaboo permitting remote code execution in IoT network video recorders for video surveillance systems that would allow attackers to remotely view feeds and tamper with recordings. On September 19, NUUO released version 3.9.1 to address the Peekaboo vulnerability. Affected users are urged to update their NVRMini2 devices as soon as possible. The update can be downloaded from their website here.

Tenable Research discovered two vulnerabilities in NUUO’s Network Video Recorder software. The first is a critical unauthenticated stack buffer overflow and the second is a backdoor in leftover debug code. These vulnerabilities were assessed and tested in the NVRMini2, a network-attached storage device and network video recorder.

What you need to know? Tenable Research has found a critical remote code execution vulnerability called Peekaboo in NUUO’s NVRMini2 software that an attacker can exploit to fully compromise the system.

What’s the attack vector? The web service is vulnerable to a stack buffer overflow that can be exploited remotely by an unauthenticated attacker.

What’s the business impact? An attacker can gain full system access, giving them control over and access to attached camera feeds and recordings. In addition, access credentials for connected cameras can be read in cleartext.

What’s the solution? Urgently apply the update from NUUO.

Background

NUUO offers closed-circuit television (CCTV), surveillance and video software and hardware. NUUO software and devices are commonly used for web-based video monitoring and surveillance in industries such as retail, transportation, education, government and banking. The vulnerable device, NVRMini2, is a network-attached storage device and network video recorder. Multiple camera feeds can be viewed and recorded simultaneously.

More interestingly, NUUO OEMs and whitelabels its software to third-party vendors. The full list of affected third-party vendors is currently unknown.

CVE-2018-1149: Peekaboo Unauthenticated Stack Buffer Overflow

Analysis

We found an unauthenticated stack buffer overflow (CWE-121) permitting remote code execution. This vulnerability has a CVSSv2 Base score of 10.0 and a Temporal Score of 8.6; it’s rated as Critical severity.

The NVRMini2 uses an open-source web server that supports some executable binaries via the common gateway interface (CGI) protocol. One of the CGI binaries that can be executed on the NVRMini2 is 'cgi_system' and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated.

During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.

Proof of concept

Jacob Baines, senior research engineer at Tenable, developed an exploit to demonstrate how this vulnerability might be leveraged to take over the NVRMini2 and manipulate connected cameras.

CVE-2018-1150: The Mystery of the Backdoor

We also found a backdoor in some leftover debug code.

<pre>
if (file_exists(constant("MOSES_FILE"))) //back door
{
update_session();
return 0;
} </pre>

If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system, and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely. This vulnerability has a CVSSv2 Base Score of 4.0 and a Temporal Score of 3.2, and is rated Medium severity.

This is a very odd artifact. We weren’t able to determine if it’s leftover development code or if it was maliciously added. To be able to activate and utilize the backdoor, an attacker would need to be able to create the file “/tmp/moses,” so the attack would require some form of access or need to be combined with another exploit. Its existence and lack of obfuscation in the code is the real mystery.

Business impact

NUUO is a global leader in the video surveillance industry and these devices are widely deployed with more than 100,000 installations worldwide. Their software is also OEM’d and integrated in third-party surveillance system deployments by a wide variety of technology and system integration partners. With any NVRMini2 instance able to manage up to 16 connected CCTV cameras, the count of indirectly exposed devices is potentially in the hundreds of thousands.

The remote code execution vulnerability especially is of particular concern. Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

<code>
root@NVR:/NUUO/bin# cat /mtd/block4/NUUO/etc/camera.ini
[Camera01]
CameraAuto=0
ShowModelName=M3044-V
MacAddress=
OutputPinCount=0
InputPinCount=0
ManufacturerName=Axis
BrandName=Axis
Protocol=3
Channel=1
ModelName=M3044-V
Manufacturer=
Brand=
Password=password1
UserName=root
Port=80
HostIP=192.168.1.183
CameraName=AXIS
</code>

Exposed CCTV Camera Credentials

Threat actors are currently actively targeting other CCTV NVRs and cameras, such as the Mirai and GafGyt malware families, which are commonly being used to compromise IoT devices. In addition, NUUO NVR devices were also specifically targeted by the Reaper IoT botnet, as we reported last year.

Solution

UPDATE: On September 19, NUUO released version 3.9.1 to address the Peekaboo vulnerability. Affected users are urged to update their NVRMini2 devices as soon as possible. The update can be downloaded from their website here. We also advise affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.

Identifying affected systems

Tenable has the following plugins available for identifying vulnerable assets.

Plugin ID Description
103929 NUUO NVR Web Interface Detection
117427 NUUO NVRMini2 Multiple Vulnerabilities


Additional information

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training