Researcher Reveals Alleged Zero-Day Vulnerabilities in NUUO NVRmini2 Recording Device

Exploit code has also been released for flaws believed to date back to 2016

A critical zero-day vulnerability in network video recording equipment made by NUUO has been made public as a researcher claims that unpatched issues could lead to remote code execution (RCE).

Discovered by Agile Information Security founder Pedro Ribeiro, the issues are believed to have been present in the NUUO NVRmini2 device since 2016.

NVRmini2 is a network video recorder (NVR) from Taiwanese supplier NUU capable of recording and storing security footage in digital format.

Learn about the latest zero-day vulnerability news

Ribeiro claims to have disclosed command injection and stack overflow vulnerabilities in NVRmini2 six years ago. At the time, Ribeiro said the product had “terrible safety” – and if his claims are true, then nothing has changed for the better.

“The two disclosed vulnerabilities were discovered during my 2016 audit,” Ribeiro said. The daily sip. “However, at the time, I found so many other vulnerabilities that I actually forgot to report them – until 2019 when I rediscovered my notes and reported them.”

Unfixed issues

As documented on GitHub, there are apparently two unpatched vulnerabilities. The first, which has not yet been assigned to a CVE but considered critical, is a missing authentication method on a critical function of the NVRmini2 firmware.

The feature for every firmware version up to and including the latest release lacks adequate protections to prevent unauthenticated users from accessing the script, Ribeiro claims.

The second alleged vulnerability is the use of a legacy version of BusyBox, a Unix utility package. This release is affected by a series of bugs, including CVE-2011-5325, a path traversal flaw that allows remote attackers to point to files outside of the current working directory.

By abusing the HTTP POST mechanism and creating malicious tarballs, vulnerabilities can be chained together to drop a webshell and execute commands as root, Ribeiro explains.

YOU MIGHT ALSO LIKE Launched a bug alert to provide an early warning system for super-critical zero-day vulnerabilities

In addition to the disclosure, the researcher published a Metasploit module that bundles the vulnerability chain described in the advisory.

Proof-of-Concept (PoC) code is said to work on most firmware releases except those prior to 2.0.0 – although alternative techniques may be used on legacy software releases.

At the time of writing, the vulnerabilities remain unpatched on the latest firmware version, v.03.11.0000.0016, although the researcher claims to have made several attempts to disclose them. No official patch is available.

Risk mitigation

The researcher recommends owners of NVRmini2 devices to keep their products away from untrusted networks to mitigate the risk of exploitation.

Other than that, using Ribeiro’s exploit and removing the feature may fix the issue, but it’s not guaranteed.

“During the disclosure process, even after several attempts, they didn’t seem to really understand the vulnerability,” Ribeiro commented.

“We explained to them several times and they seemed completely ignorant. They were quite nice and pleasant to deal with in terms of manners and how they treated us, but technically ignorant.

The daily sip has contacted NUUO for comment but has not heard back at the time of publication. We will update this article as we receive feedback.

RECOMMENDED GitLab moves left to fix high-impact vulnerabilities

Comments are closed.