Due to a critical vulnerability in NUUO software, hackers could remotely view video feeds and tamper with the recordings of hundreds of thousands of IoT cameras.
According to security experts at Tenable, the vulnerability is called Peekaboo, and it impacted over 100 brands and 2,500 different models of cameras integrated with NUUO’s software.
Peecaboo could be exploited to manipulate cameras and give hackers an access to usernames and passwords. The security flaw was found in NVRMini 2, a network-attached storage device and network video recorder.
The vulnerability is an unauthenticated stack buffer overflow that could lead to remote code execution. It is tracked as CVE-2018-1149 and features a CVSSv2 Base score of 10.0.
“Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage,” the researchers at Tenable state.
The vulnerability infected the NVRMini 2 firmware versions older than 3.9.0. and it is not patched yet.
“In the meantime, users are urged to control and restrict access to their NUUO NVRMini2 deployments and limit this to legitimate users from trusted networks only. Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet until a patch is released,” the Tenable team says.
The problem lies in the use of an open-source web server with support for executable binaries via the common gateway interface (CGI) protocol. One of the CGI binaries, ‘cgi_system’, handles various commands and actions that require the user be authenticated, but the cookie parameter’s session ID size isn’t checked during authentication, thus allowing for a stack buffer overflow in the sprint function.
The Peecaboo vulnerability can result in remote code execution with “root” or administrator privileges, Tenable’s security researchers discovered. Proof-of-concept (PoC) code to demonstrate the bug has been published on GitHub.
Apart from this bug, Tenable found a backdoor in leftover debug code. The flaw is tracked as CVE-2018-1150 and it has a CVSSv2 Base Score of 4.0.
According to the security experts, the backdoor is enabled if the so-called /tmp/moses file exists. The backdoor can be used to list all user accounts on the system and also allows the change of an account’s password.
Hackers who abuse the vulnerability could not only view the camera feeds and CCTV recordings but could also take the camera offline.