Another Zero-Day Vulnerability Hits NUUO Surveillance Cameras
A couple of months ago, a zero-day vulnerability, named Peekaboo, threatened NUUO surveillance cameras. The vulnerability could allow an attacker to take control of the cameras and execute arbitrary code. While the vendors patched the flaw that time, they suffered another zero-day vulnerability once again. This time, the bug hit the then patched firmware version of NUUO NVRmini2 cameras.
Zero-Day Vulnerability Allows Taking Control Of NUUO Cameras
Researchers at Digital Defense, Inc. have discovered a zero-day vulnerability in NUUO surveillance cameras. The vulnerability allegedly affected the NVRmini2 cameras and could allow an attacker to execute arbitrary commands.
Reportedly, the DD’s Vulnerability Research Team (VRT) found a remote stack overflow vulnerability in NUUO NVRmini2 Network Video Recorder. Describing the flaw in their security advisory, they stated,
“Sending a crafted GET request to the affected service with a URI length of 351 or greater will trigger the stack overflow. Overflowing of the stack variable, which is intended to hold the request data, results in the overwriting of stored return addresses, and with a properly crafted payload, can be leveraged to achieve arbitrary code execution.”
As disclosed by the researchers, exploiting this vulnerability could allow an attacker for arbitrary code execution with root privileges. It means a potential attacker could gain complete control of the camera and can perform any actions, including tampering the videos.
The zero-day flaw allegedly affected NUUO NVRmini2 firmware 3.9.1 and earlier versions. ..Read More..