NUUO Backdoor (strong_user.php) Remote Shell Access

Title: NUUO Backdoor (strong_user.php) Remote Shell Access
Advisory ID: ZSL-2016-5354
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 06.08.2016
Summary
NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always.
Description
NUUO NVRmini, NVRmini2, Crystal and NVRSolo devices have a hidden PHP script that when called, a backdoor user is created with poweruser privileges that is able to read and write files on the affected device. The backdoor user 'bbb' when created with the password '111111' by visiting 'strong_user.php' script is able to initiate a secure shell session and further steal and/or destroy sensitive information.
Vendor
NUUO Inc. - http://www.nuuo.com
Affected Version
<=3.0.8 (NE-4160, NT-4040)
Tested On
GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vendor Status
[14.01.2016] Vulnerability discovered.
[01.02.2016] Vendor contacted.
[02.02.2016] Vendor responds asking explanation.
[03.02.2016] Explained to vendor about the issues and risk.
[04.02.2016] Vendor ignores with confusion.
[10.02.2016] Sent another e-mail probe to several accounts for respond.
[16.02.2016] No response from the vendor.
[16.04.2016] Final try to get communication from the vendor and report issues.
[05.08.2016] No response from the vendor.
[06.08.2016] Public security advisory released.
PoC
nuuo_backdoor.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40215/
[2] https://packetstormsecurity.com/files/138226
[3] https://cxsecurity.com/issue/WLB-2016080068
Changelog
[06.08.2016] - Initial release
[09.08.2016] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk