cbcvebase.
CVE-2018-19864
published 2018-12-05

CVE-2018-19864: NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow)…

PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.81%
97.6th percentile
NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow), resulting in ability to read camera feeds or reconfigure the device.

Affected

1 ranges
VendorProductVersion rangeFixed in
nuuonvrmini2_firmware<= 3.9.1

Detection & IOCsextracted from sources · hover to see the quote

port5150
command{/bin/touch,/tmp/hax}
path/tmp/hax
bytes
GET / + (Z * 335) + \x30\x2a\x17\x45 + (Y * 80) + \x08\xfc\x78\x40 + \x44\xe0\x17\x40 + \xcc\xb7\x77\x40
  • Detect oversized HTTP GET request URIs targeting NUUO NVRmini2: the exploit sends a GET request with a URI beginning with '/' followed by 335 bytes of padding ('Z' characters), which is anomalous and far exceeds normal URI lengths for this device.
  • Monitor for HTTP traffic to TCP port 5150 on NUUO NVRmini2 devices containing binary/non-printable bytes in the URI (ROP gadget addresses such as \x30\x2a\x17\x45, \x08\xfc\x78\x40, \x44\xe0\x17\x40, \xcc\xb7\x77\x40), indicative of a stack overflow exploit attempt.
  • The exploit uses an ARM ROP chain: gadget 'pop {r3,lr} ; bx lr', system() call, and 'mov r0,sp ; blx r3' to achieve code execution. Detection of these specific gadget addresses in HTTP request bodies is a strong indicator of exploitation.
  • Alert on creation of files under /tmp/ (e.g., /tmp/hax) on NUUO NVRmini2 devices, as the default proof-of-concept payload writes a file there to confirm code execution.
  • The vulnerability is triggered via an sscanf stack overflow in the HTTP request handler; the overflow occurs in the URI field with 335+ bytes of padding before ROP gadget addresses.
  • ·The ROP gadget addresses (\x30\x2a\x17\x45, \x08\xfc\x78\x40, \x44\xe0\x17\x40, \xcc\xb7\x77\x40) are specific to firmware version 3.9.1 and may differ across firmware versions; byte-signature detections should be tuned accordingly.
  • ·The affected firmware versions are 3.9.1 and prior; devices running firmware through 3.9.1 are vulnerable per the NVD advisory.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.