CVE-2016-5675
published 2016-08-31CVE-2016-5675: handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
70.88%
99.3th percentile
handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the NTPServer parameter.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| nuuo | crystal | — | — |
| nuuo | crystal | — | — |
| nuuo | crystal | — | — |
| nuuo | crystal | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting handle_daylightsaving.php with a NTPServer parameter containing PHP code or shell metacharacters, indicating exploitation of CVE-2016-5675. ↗
- →Successful exploitation results in code execution as root on NVRmini/Crystal or as the 'admin' user on ReadyNAS Surveillance; monitor for unexpected privileged process spawning from the web server process. ↗
- →Exploitation requires valid administrative credentials; correlate admin-authenticated sessions to the web interface immediately followed by requests to handle_daylightsaving.php. ↗
- ·Exploitation requires authentication with an administrative account; unauthenticated attackers cannot directly exploit this vulnerability. ↗
- ·The Metasploit module targets NVRmini 2, Crystal, and ReadyNAS Surveillance; NVRsolo and other NUUO devices are suspected vulnerable but have not been confirmed tested. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
exploitdb·2016-08-05
CVE-2016-5680 NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS Surveillance application
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 04/08/2016 / Last updated: 04/08/2016
>> Background on the affected products:
"NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy har
Metasploit
NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution
metasploit
NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution
NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance Authenticated Remote Code Execution
The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable to an authenticated remote code execution on the exposed web administration interface. An administrative account is needed to exploit this vulnerability. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.
No writeups or analysis indexed.
2016-08-31
Published