NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance are Network Video Recording (NVR) systems with Network Attached Storage (NAS) functionality for managing IP cameras.

The web management interfaces of these products are reported to contain multiple vulnerabilities. Note that additional products not identified here may be vulnerable if they use the same web interface; firmware versions earlier than those specified below may also be vulnerable.
CWE-20: Improper Input Validation – CVE-2016-5674The web management interfaces of affected devices contains a hidden page, __debugging_center_utils__.php, that fails to properly validate the log parameter and passes it as input to the PHP system() function.

An unauthenticated attacker may make a specially crafted request to execute arbitrary code as root:http://<IP>/__debugging_center_utils___.php?log=something%3b<payload>CVE-2016-5674 has been confirmed by the researcher to affect the NUUO NVRmini 2 and NVRsolo, versions 1.7.5 to 3.0.0, and the ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1.

The CVSS score below describes CVE-2016-5674.CWE-20: Improper Input Validation – CVE-2016-5675The handle_daylightsaving.php page does not sanitise the NTPServer parameter, which is processed by the PHP system() function.

Authenticated attackers may leverage this vulnerability to execute arbitrary code as root:http://<IP>/handle_daylightsaving.php?act=update&NTPServer=something%3b<payload>CVE-2016-5675 has been confirmed by the researcher to affect:
NUUO NVRmini 2, versions 1.7.5 to 3.0.0
NUUO NVRsolo, versions 1.0.0 to 3.0.0
NUUO Crystal, versions 2.2.1 to 3.2.0
ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1
CWE-285: Improper Authorization – CVE-2016-5676The cgi_system binary can be called directly and given commands by anyone capable of accessing the web interface.

To reset the administrator account password, for example, an unauthenticated attacker can make a request to:http://<IP>/cgi-bin/cgi_system?cmd=loaddefconfigCVE-2016-5676 has been confirmed by the researcher to affect NUUO NVRmini 2 and NVRsolo versions 1.7.5 to unknown (versions 2.2.1 and 3.0.0 require authentication), and ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1.CWE-200: Information Exposure – CVE-2016-5677Potentially sensitive system information is exposed by the hidden page, __nvr_status___.php.

The page is accessible to all users via page-specific hard-coded credentials, nuuoeng:qwe23622260.CVE-2016-5677 has been confirmed by the researcher to affect:NUUO NVRmini 2, versions 1.7.5 to 3.0.0
NUUO NVRsolo, versions 1.0.0 to 3.0.0
ReadyNAS Surveillance, both x86 and ARM versions 1.1.1 to v1.4.1
CWE-798: Use of Hard-Coded Credentials – CVE-2016-5678According to the researcher, NUUO NVRmini 2 and NVRsolo versions 1.0.0 to 3.0.0 contain hard-coded credentials.

An attacker with knowledge of these credentials may log into affected devices with root privileges.CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – CVE-2016-5679The sn parameter of the transfer_license command in cgi_main does not properly validate user-provided input.

An authenticated attacker may make a specially crafted request to execute arbitrary commands:http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=”;<command>;#According to the researcher, NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance version 1.1.2 are affected. Note that this vulnerability can be exploited by any user locally, but requires an administrator account for remote exploitation.CWE-121: Stack-based Buffer Overflow – CVE-2016-5680The sn parameter of the transfer_license command in cgi_main also contains a stack-based buffer overflow vulnerability.

An authenticated attacker may send a specially crafted request to overflow the buffer and execute arbitrary code:http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=<payload>NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance x86 version 1.1.2 is affected, according to the researcher.

CVE-2016-5680 can be exploited by any user locally, but requires an administrator account for remote exploitation.For more information about these vulnerabilities, refer to Pedro Ribeiro’s disclosure.

Leave a Reply