NUUO Arbitrary File Deletion Vulnerability

Title: NUUO Arbitrary File Deletion Vulnerability
Advisory ID: ZSL-2016-5353
Type: Local/Remote
Impact: Manipulation of Data, DoS
Risk: (4/5)
Release Date: 06.08.2016
Summary
NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always.
Description
Input passed to the 'filename' parameter in 'deletefile.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected POST/GET parameter.

--------------------------------------------------------------------------------

/deletefile.php:
------------------------

1: <?php
2: $filename=$_POST['filename'];
3: unlink($filename);
4: if (file_exists($filename))
5: echo "fail";
6: else echo "true";
7: ?>

--------------------------------------------------------------------------------

Vendor
NUUO Inc. - http://www.nuuo.com
Affected Version
<=3.0.8
Tested On
GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vendor Status
[14.01.2016] Vulnerability discovered.
[01.02.2016] Vendor contacted.
[02.02.2016] Vendor responds asking explanation.
[03.02.2016] Explained to vendor about the issues and risk.
[04.02.2016] Vendor ignores with confusion.
[10.02.2016] Sent another e-mail probe to several accounts for respond.
[16.02.2016] No response from the vendor.
[16.04.2016] Final try to get communication from the vendor and report issues.
[05.08.2016] No response from the vendor.
[06.08.2016] Public security advisory released.
PoC
nuuo_del.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2016080070
[2] https://packetstormsecurity.com/files/138225
[3] https://www.exploit-db.com/exploits/40214/
Changelog
[06.08.2016] - Initial release
[09.08.2016] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk