NUUO Remote Root Exploit

Title: NUUO Remote Root Exploit
Advisory ID: ZSL-2016-5348
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 06.08.2016
Summary
NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always.
Description
NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from an unauthenticated command injection vulnerability. Due to an undocumented and hidden debugging script, an attacker can inject and execute arbitrary code as the root user via the 'log' GET parameter in the '__debugging_center_utils___.php' script.

--------------------------------------------------------------------------------

/__debugging_center_utils___.php:
------------------------

1: <?php
2: define("LOG_FILE_FOLDER", "/mtd/block4/log");
3:
4: function print_file($file_fullpath_name)
5: {
6: $cmd = "cat " . $file_fullpath_name;
7: echo $file_fullpath_name . "\n\n";
8: system($cmd);
9: }
10:
11: // Make sure program execution doesn't time out
12: // Set maximum script execution time in seconds (0 means no limit)
13: //set_time_limit(0);
14: ?>
15:
16: <html>
17: <head>
18: <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
19: <title>Debugging Center</title>
20: </head>
21: <body>
22:
23: <pre>
24: <?php
25: if (isset($_GET['log']) && !empty($_GET['log']))
26: {
27: $file_fullpath_name = constant('LOG_FILE_FOLDER') . '/' . basename($_GET['log']);
28: print_file($file_fullpath_name);
29: }
30: else
31: {
32: die("unknown command.");
33: }
34: ?>

--------------------------------------------------------------------------------

Vendor
NUUO Inc. - http://www.nuuo.com
Affected Version
<=3.0.8
Tested On
GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vendor Status
[14.01.2016] Vulnerability discovered.
[01.02.2016] Vendor contacted.
[02.02.2016] Vendor responds asking explanation.
[03.02.2016] Explained to vendor about the issues and risk.
[04.02.2016] Vendor ignores with confusion.
[10.02.2016] Sent another e-mail probe to several accounts for respond.
[16.02.2016] No response from the vendor.
[16.04.2016] Final try to get communication from the vendor and report issues.
[05.08.2016] No response from the vendor.
[06.08.2016] Public security advisory released.
PoC
nuuo_root.py
nuuo-backdoor.nse
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40209/
[2] https://packetstormsecurity.com/files/138220/NUUO-3.0.8-Remote-Root.html
[3] http://www.vfocus.net/art/20160809/12861.html
Changelog
[06.08.2016] - Initial release
[09.08.2016] - Added reference [1] and [2]
[10.08.2016] - Added reference [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk