Researchers have uncovered two flaws that leave more than 100,000 NUUO-powered internet-connected surveillance cameras open to remote takeover.
Tenable Research on Monday laid claim to discovering two bugs in NUUO's Network Video Recorder firmware that can be exploited to covertly access a camera's video feed or simply take over the device with malware.
The bugs, named "Peekaboo" for marketing purposes, were both spotted in the NVRMini2, a network-attached device that both stores video recordings and acts as a control gateway for admins and remote viewers. The gizmo uses NUUO's firmware, which harbors the exploitable flaws.
The first of the two flaws (CVE-2018-1149) is a remote code execution vulnerability that can be exploited by overflowing a buffer. An attacker exploits the bug by connecting to a network- or internet-facing device, and submitting a malformed cookie to its web-based control panel that triggers the flaw in the cgi_system binary.
Once the bug has been exploited, the attacker would be able to inject and execute commands with root privileges. From there, the attacker would be able to do anything from seize control of the camera and access all of its video footage to loading up the device with botnet clients to use for other attacks.
The second flaw, meanwhile, would allow an attacker to covertly access a network- or internet-connected camera's controls without needing to trigger a buffer overflow or other programming cockup. Rather, CVE-2018-1150 is a leftover bit of debug code that allows the attacker to pull up all user accounts and change passwords. The attacker would also be able to control the camera and view recordings.
Sigh... 'Hundreds of thousands' of... sigh, web CCTV cams still at risk of... sigh, hijackingREAD MORE
The source of that debug code, and the reason it was not taken out of the firmware before going to production, is unknown.
"This is a very odd artifact. We weren’t able to determine if it’s leftover development code or if it was maliciously added," Team Tenable said.
"To be able to activate and utilize the backdoor, an attacker would need to be able to create the file /tmp/moses, so the attack would require some form of access or need to be combined with another exploit. Its existence and lack of obfuscation in the code is the real mystery."
Because that particular flaw requires a user to already have the ability to create files on the camera, it is not considered a severe risk on its own. Unfortunately, the aforementioned CVE-2018-1149 bug would allow the attacker to do just that – create the required file.
Tenable said it informed the Taiwan-based NUUO of the bug but, at the time of publication, there was no word on a fix. In the meantime, Tenable is recommending that admins take steps to cut off NUUO-powered cameras' access to the internet and other public networks, and make sure only authorized users have a line to the devices. ®