{
  "Name": "NUUO Network Video handle_load_config.php Unauth Command Execution vulnerability(CVE-2019-9653)",
  "Description": "<p>NUUO Inc. is a company providing a video-centric surveillance solution. They have many NVR (Network Video Recorder) products for different customers with various requirements. These NVRs are Linux embedded video recording systems that can manage several cameras. Nowadays, they are used worldwide by many public institutions, companies, banks, or individuals, etc. The web interface of these NVR systems contains a lot of critical vulnerabilities can be abused by unauthenticated attackers. We discover that some vulnerable PHP scripts are lack of authentication mechanism and input protection thus they could be abused to achieve remote code execution on NUUO's devices as root.<br></p>",
  "Product": "NUUO Network Video Recorder",
  "Homepage": "https://www.nuuo.com/",
  "DisclosureDate": "2022-04-02",
  "Author": "corp0ra1",
  "FofaQuery": "body=\"NUUO\"&&title=\"Network Video Recorder Login\"",
  "GobyQuery": "body=\"NUUO\"&&title=\"Network Video Recorder Login\"",
  "Level": "3",
  "Impact": "<p>handle_load_config.php is lack of authentication mechanism and input protection thus it could be abused to achieve remote code execution on NUUO's devices as root.<br></p>",
  "Recommendation": "<p>Update to a newer version. The latest firmware version is 3.10.x.<br></p>",
  "References": [
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9653",
    "https://github.com/grayoneday/CVE-2019-9653"
  ],
  "Is0day": false,
  "HasExp": true,
  "ExpParams": [
    {
      "name": "AttackType",
      "type": "select",
      "value": "cmd,goby_shell_linux"
    },
    {
      "name": "cmd",
      "type": "input",
      "value": "whoami",
      "show": "AttackType=cmd"
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/test.php",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "test",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/test.php",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "test",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    }
  ],
  "Tags": [
    "Command Execution"
  ],
  "VulType": [
    "Command Execution"
  ],
  "CVEIDs": [
    "CVE-2019-9653"
  ],
  "CNNVD": [
    "CNNVD-201905-1233"
  ],
  "CNVD": [
    ""
  ],
  "CVSSScore": "9.8",
  "Translation": {
    "CN": {
      "Name": "NUUO 网络摄像机 handle_load_config.php未授权任意执行漏洞（CVE-2019-9653）",
      "Product": "NUUO 网络摄像机",
      "Description": "<p>NUUO是一家提供一个视讯监控解决方案的公司。他们有许多NVR（网路视讯录影机）产品，可满足不同客户的各种要求。NVR为Linux的嵌入式视讯采集系统，可以管理多个摄影机目前，它们在许多公共、公司、攻击及个人等使用。NVR 的 Web 显示器包含许多严重的漏洞，可遭到身份验证机构的利用者利用。 PHP广泛脚本认证机制和输入保护，因此它们可以在NUUO上被利用以root权限执行远程守护程序码。</p>",
      "Recommendation": "<p>更新设备至较新版本，目前最新固件版本为3.10.x。</p>",
      "Impact": "<p>handle_load_config.php 缺乏认证机制和输入保护，因此可以在NUUO上被利用以root权限执行远程命令</p>",
      "VulType": [
        "命令执⾏"
      ],
      "Tags": [
        "命令执⾏"
      ]
    },
    "EN": {
      "Name": "NUUO Network Video handle_load_config.php Unauth Command Execution vulnerability(CVE-2019-9653)",
      "Product": "NUUO Network Video Recorder",
      "Description": "<p>NUUO Inc. is a company providing a video-centric surveillance solution. They have many NVR (Network Video Recorder) products for different customers with various requirements. These NVRs are Linux embedded video recording systems that can manage several cameras. Nowadays, they are used worldwide by many public institutions, companies, banks, or individuals, etc. The web interface of these NVR systems contains a lot of critical vulnerabilities can be abused by unauthenticated attackers. We discover that some vulnerable PHP scripts are lack of authentication mechanism and input protection thus they could be abused to achieve remote code execution on NUUO's devices as root.<br></p>",
      "Recommendation": "<p>Update to a newer version. The latest firmware version is 3.10.x.<br></p>",
      "Impact": "<p>handle_load_config.php is lack of authentication mechanism and input protection thus it could be abused to achieve remote code execution on NUUO's devices as root.<br></p>",
      "VulType": [
        "Command Execution"
      ],
      "Tags": [
        "Command Execution"
      ]
    }
  },
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": [
      "NUUO-NVR"
    ]
  }
}