Vulnerability Note VU#856152

NUUO and Netgear Network Video Recorder (NVR) products web interfaces contain multiple vulnerabilities

Original Release date: 04 Aug 2016 | Last revised: 05 Aug 2016

Overview

NUUO NVRmini 2, NVRsolo, Crystal, and Netgear ReadyNAS Surveillance products have web management interfaces containing multiple vulnerabilities that can be leveraged to gain complete control of affected devices.

Description

NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance are Network Video Recording (NVR) systems with Network Attached Storage (NAS) functionality for managing IP cameras. The web management interfaces of these products are reported to contain multiple vulnerabilities. Note that additional products not identified here may be vulnerable if they use the same web interface; firmware versions earlier than those specified below may also be vulnerable.

CWE-20: Improper Input Validation - CVE-2016-5674

The web management interfaces of affected devices contains a hidden page, __debugging_center_utils__.php, that fails to properly validate the log parameter and passes it as input to the PHP system() function. An unauthenticated attacker may make a specially crafted request to execute arbitrary code as root:

http://<IP>/__debugging_center_utils___.php?log=something%3b<payload>

CVE-2016-5674 has been confirmed by the researcher to affect the NUUO NVRmini 2 and NVRsolo, versions 1.7.5 to 3.0.0, and the ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1. The CVSS score below describes CVE-2016-5674.

CWE-20: Improper Input Validation - CVE-2016-5675

The handle_daylightsaving.php page does not sanitise the NTPServer parameter, which is processed by the PHP system() function. Authenticated attackers may leverage this vulnerability to execute arbitrary code as root:

http://<IP>/handle_daylightsaving.php?act=update&NTPServer=something%3b<payload>

CVE-2016-5675 has been confirmed by the researcher to affect:

  • NUUO NVRmini 2, versions 1.7.5 to 3.0.0
  • NUUO NVRsolo, versions 1.0.0 to 3.0.0
  • NUUO Crystal, versions 2.2.1 to 3.2.0
  • ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1

CWE-285: Improper Authorization - CVE-2016-5676

The cgi_system binary can be called directly and given commands by anyone capable of accessing the web interface. To reset the administrator account password, for example, an unauthenticated attacker can make a request to:

http://<IP>/cgi-bin/cgi_system?cmd=loaddefconfig

CVE-2016-5676 has been confirmed by the researcher to affect NUUO NVRmini 2 and NVRsolo versions 1.7.5 to unknown (versions 2.2.1 and 3.0.0 require authentication), and ReadyNAS Surveillance, both x86 and ARM, versions 1.1.1 to 1.4.1.

CWE-200: Information Exposure - CVE-2016-5677

Potentially sensitive system information is exposed by the hidden page, __nvr_status___.php. The page is accessible to all users via page-specific hard-coded credentials, nuuoeng:qwe23622260.

CVE-2016-5677 has been confirmed by the researcher to affect:
  • NUUO NVRmini 2, versions 1.7.5 to 3.0.0
  • NUUO NVRsolo, versions 1.0.0 to 3.0.0
  • ReadyNAS Surveillance, both x86 and ARM versions 1.1.1 to v1.4.1

CWE-798: Use of Hard-Coded Credentials - CVE-2016-5678

According to the researcher, NUUO NVRmini 2 and NVRsolo versions 1.0.0 to 3.0.0 contain hard-coded credentials. An attacker with knowledge of these credentials may log into affected devices with root privileges.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2016-5679

The sn parameter of the transfer_license command in cgi_main does not properly validate user-provided input. An authenticated attacker may make a specially crafted request to execute arbitrary commands:

http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=";<command>;#

According to the researcher, NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance version 1.1.2 are affected. Note that this vulnerability can be exploited by any user locally, but requires an administrator account for remote exploitation.

CWE-121: Stack-based Buffer Overflow - CVE-2016-5680

The sn parameter of the transfer_license command in cgi_main also contains a stack-based buffer overflow vulnerability. An authenticated attacker may send a specially crafted request to overflow the buffer and execute arbitrary code:

http://<IP>/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=<payload>

NUUO NVRmini 2 versions 1.7.6 to 3.0.0 and ReadyNAS Surveillance x86 version 1.1.2 is affected, according to the researcher. CVE-2016-5680 can be exploited by any user locally, but requires an administrator account for remote exploitation.

For more information about these vulnerabilities, refer to Pedro Ribeiro's disclosure.

Impact

A remote, unauthenticated attacker can make specially crafted requests to execute arbitrary commands as root.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Users should consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Netgear, Inc.Affected13 Jun 201602 Aug 2016
NUUOAffected03 Mar 201602 Aug 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.0 E:F/RL:U/RC:UR
Environmental 7.0 CDP:LM/TD:M/CR:L/IR:H/AR:H

References

Credit

Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.