NUUO Local File Disclosure Vulnerability

Title: NUUO Local File Disclosure Vulnerability
Advisory ID: ZSL-2016-5350
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 06.08.2016
Summary
NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always.
Description
NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script is not properly verified before being used to include files. This can be exploited to disclose contents of files from local resources.
Vendor
NUUO Inc. - http://www.nuuo.com
Affected Version
<=3.0.8 (NE-4160, NT-4040)
Tested On
GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vendor Status
[14.01.2016] Vulnerability discovered.
[01.02.2016] Vendor contacted.
[02.02.2016] Vendor responds asking explanation.
[03.02.2016] Explained to vendor about the issues and risk.
[04.02.2016] Vendor ignores with confusion.
[10.02.2016] Sent another e-mail probe to several accounts for respond.
[16.02.2016] No response from the vendor.
[16.04.2016] Final try to get communication from the vendor and report issues.
[05.08.2016] No response from the vendor.
[06.08.2016] Public security advisory released.
PoC
nuuo_lfd.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40211/
[2] https://cxsecurity.com/issue/WLB-2016080065
[3] https://packetstormsecurity.com/files/138222
Changelog
[06.08.2016] - Initial release
[09.08.2016] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk