SwiftSafe
SwiftSafe
Sep 28, 2018 · 3 min read

Peekaboo Zero-Day Vulnerability Allows Hacking of Surveillance Cameras

Image for post
Image for post

iOT based security cameras from various vendors invites opportunities for flaws. Recently, researchers have discovered a similar vulnerability that allows hacking of surveillance cameras. By exploiting this “Peekaboo zero-day vulnerability” in the NUUO software, an attacker could remotely execute arbitrary commands.

Vulnerabilities In NUUO Software Allows Hacking Surveillance Cameras

Researchers from cybersecurity firm Tenable have discovered two vulnerabilities in video management software NUUO that allow hacking of surveillance cameras. As stated on their website, NUUO enjoys over 100,000 installations worldwide. Hence, one can imagine the massive impact of the vulnerabilities reported by Tenable.

Reportedly, researchers have found two different flaws in the NUUO security system for which they have provided a POC as well in their report. These vulnerabilities particularly affect the NVRMini2 — a network-attached storage and video recording device. One of these vulnerabilities, “The Mystery of the Backdoor” (CVE-2018–1150) is a Medium severity rated flaw developed due to “leftover debug code”. Explaining this vulnerability, the researchers state,

“If a file named /tmp/moses exists, the backdoor is enabled. It permits the listing of all user accounts on a system and allows someone to change any account’s password. This would, for example, permit an attacker to view the camera feeds, view CCTV recordings, or remove a camera from the system entirely.”

To exploit this vulnerability, an attacker needs to create file “/tmp/moses” which may require exploiting another vulnerability.

Peekaboo — A Zero-Day RCE Vulnerability

The other vulnerability, which is significantly important, is a zero-day vulnerability named “Peekaboo”. This vulnerability (CVE-2018–1149) holds a Temporal Score of 8.6 with a “Critical” severity rating. It is an “unauthenticated stack buffer overflow” vulnerability that allows remote code execution by the attacker. Jacob Baines, Tenable’s Senior Research Engineer, has developed the proof-of-concept demonstrating this flaw.

About the Peekaboo zero-day vulnerability, the researchers explain,

“The NVRMini2 uses an open-source web server that supports some executable binaries via the common gateway interface (CGI) protocol. One of the CGI binaries that can be executed on the NVRMini2 is ‘cgi_system’ and it can be accessed via http://x.x.x.x/cgi-bin/cgi_system. This binary handles a variety of commands and actions that require the user be authenticated.

During authentication, the cookie parameter’s session ID size isn’t checked, which allows for a stack buffer overflow in the sprintf function. This vulnerability allows for remote code execution with “root” or administrator privileges.”

As explained in the Tenable’s blog post, this critical vulnerability can allegedly give complete access to the surveillance system. This includes accessibility to the CMS and accessing CCTV cameras’ credentials.

Patch Awaited From NUUO

As reported, Tenable informed NUUO of the vulnerabilities on June 5, 2018, setting up a coordinated disclosure on September 17, 2018. After the reports, NUUO has patched the vulnerability in the version 3.9.0.1 which will be available soon.

Until then, Tenable recommends that users restrict network access control to limited and authorized personnel only. They have also shared dedicated plugins to identify the vulnerability within NUUO products.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store