cbcvebase.
CVE-2018-1149
published 2018-09-19

CVE-2018-1149: cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests.

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
15.23%
96.3th percentile
cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests.

Affected

2 ranges
VendorProductVersion rangeFixed in
nuuonuuo_nvrmini2
nuuonvrmini2_firmware<= 3.8.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://x.x.x.x/cgi-bin/cgi_system
path/cgi-bin/cgi_system
urlhttp://192.168.1.85/cgi-bin/cgi_system?cmd=portCheck
path/tmp/moses
path/mtd/block4/NUUO/etc/camera.ini
urlhttp://192.168.1.85/users_xml.php
urlhttp://192.168.1.85/users_xml.php?cmd=changepwd&username=testuser&newpwd=pwned
path/users_xml.php
filenamecgi_system
  • Detect exploitation attempts by monitoring HTTP requests to /cgi-bin/cgi_system with an oversized PHPSESSID cookie value (well beyond normal session ID length of 32 hex chars)
  • Alert on HTTP requests to /cgi-bin/cgi_system?cmd=portCheck (or any cmd parameter) carrying a PHPSESSID cookie significantly longer than 32 characters, indicative of stack buffer overflow attempt
  • Monitor for unauthenticated access to /users_xml.php with cmd=changepwd query parameters, which indicates exploitation of the backdoor (CVE-2018-1150) to change user passwords
  • The overflow occurs in sprintf when building a /tmp/ session filename from the unsanitized PHPSESSID cookie; monitor sprintf calls or stack canary violations in the cgi_system process
  • ·Camera credentials for all connected cameras are stored in plaintext on disk at /mtd/block4/NUUO/etc/camera.ini and are exposed upon successful exploitation
  • ·NUUO OEMs and whitelabels its software to third-party vendors; the full list of affected third-party vendors is unknown, broadening the attack surface beyond NVRMini2 branded devices
  • ·All NVRMini2 and NVRsolo versions 3.8.0 and prior are affected; public exploits are available per CISA advisory

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.