Video surveillance recorders riddled with zero-days
Kit from NUUO, Netgear has face-palm grade stoopid
There are multiple Web interface vulnerabilities in a network video recorder under Netgear's ReadyNAS brand and various devices by video recording company NUUO.
The affected NUUO units are NVRmini 2, NVRsolo, and Crystal.
The CERT advisory lists six Common Vulnerabilities and Exposures (CVE) notices attacked to the affected products, ranging from input validation issues to buffer overruns.
Under CVE-2016-5674, there's a hidden page in the Web management interface that looks like someone wrote it while the product was under development, and forgot to take it out.
An attacker can pass arbitrary “log” parameters to PHP's system():
– and it executes as root. There's a second hidden page,
__nvr_status___.php (assigned CVE-2016-5677), with an information exposure risk. Since it's accessed via the hard-coded credentials nuuoeng:qwe23622260, it's yet another debugging tool that the engineers forgot to remove. Slap them head-wise.
Under CVE-2016-5675, the handle_daylightsaving.php page does not sanitise the NTPServer parameter, letting attackers run code as root.
The cgi system binary in affected units can be called directly by anyone running the Web interface (CVE-2016-5676); CVE-2016-5678 describes yet more hard-coded credentials specific to NUUO devices (not Netgear); while CVE-2016-5679 describes a local operating system command vulnerability (only admins can attack it remotely).
If by now the kit hasn't qualified for The Register's “SOHOpeless” tag, there's also a buffer overrun, CVE-2016-5680, yet another arbitrary code execution bug.
The bugs were discovered by Pedro Ribeiro of Agile Information Security, and can be read in full at Full Disclosure.
Ribeiro explains that in concert with CERT, the disclosure was made because the vendors have turned turtle. ®