Bugtraq mailing list archives
Re: Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance
From: Pedro Ribeiro <pedrib () gmail com>
Date: Thu, 4 Aug 2016 17:47:42 +0100
On 04/08/16 17:46, Pedro Ribeiro wrote:
tl;dr Lots of RCE, hardcoded credentials, stack buffer overflow and information disclosure in the Nuuo NVRmini and other network video recorders of the same vendor. These vulnerabilities also affect the NETGEAR Surveillance app (which can be installed on the NETGEAR ReadyNAS). See the full advisory including PoC and exploits below, or at my github (https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt). Metasploit modules have been submitted for vulns #1, #2 and #3: https://github.com/rapid7/metasploit-framework/pull/7180 https://github.com/rapid7/metasploit-framework/pull/7181 https://github.com/rapid7/metasploit-framework/pull/7182 Thanks to CERT/CC for helping me disclose this vulnerabilities - see https://www.kb.cert.org/vuls/id/856152 for their advisory. Regards, Pedro ==============================Fix:NETGEAR and Nuuo did not respond to CERT/CC coordination efforts (see Timeline below), so no fix is available. Do not expose any of these devices to the Internet or any networks with unstrusted hosts. Timeline: 28.02.2016: Disclosure to CERT/CC. 27.04.2016: Requested status update from CERT - they did not receive any response from vendors. 06.06.2016: Requested status update from CERT - still no response from vendors. Contacted Nuuo and NETGEAR directly. NETGEAR responded with their "Responsible Disclosure Guidelines", to which I did not agree and requested them to contact CERT if they want to know the details about the vulnerabilities found. No response from Nuuo. 13.06.2016: CERT sent an update saying that NETGEAR has received the details of the vulnerabilities, and they are attempting to contact Nuuo via alternative channels. 07.07.2016: CERT sent an update saying that they have not received any follow up from both Nuuo and NETGEAR, and that they are getting ready for disclosure. 17.07.2016: Sent an email to NETGEAR and Nuuo warning them that disclosure is imminent if CERT doesn't receive a response or status update. No response received. 01.08.2016: Sent an email to NETGEAR and Nuuo warning them that disclosure is imminent if CERT doesn't receive a response or status update. No response received. 04.08.2016: Coordinated disclosure with CERT.References:[1] https://www.kb.cert.org/vuls/id/856152 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/Enabling secure digital business >>
Forgot to mention - these are actually "0 days" since the vendors didn't bother to respond or issue fixes - see timeline above. Regards, Pedro
Current thread:
- Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance Pedro Ribeiro (Aug 04)
- Re: Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance Pedro Ribeiro (Aug 04)