CVE-2018-14933 Scanner

NUUO NVRmini is a network video recorder system widely used by businesses, government facilities, and surveillance infrastructure for managing and storing IP camera feeds. It provides centralized monitoring and is often integrated with physical security systems. The device's firmware includes a web-based interface for system management and configuration. Because it is typically connected to sensitive networks and physical infrastructure, its security posture is critical. The firmware from 2016 is the focus of this scanner due to known vulnerabilities. Its wide deployment in sensitive environments makes patching and detection imperative.

This scanner targets a critical Remote Command Execution (RCE) vulnerability in the NUUO NVRmini system. The flaw stems from insufficient input validation in the upgrade_handle.php file, which processes parameters without sanitization. By exploiting this flaw, attackers can inject arbitrary system commands. This can lead to full system compromise, allowing the attacker to manipulate video feeds, disrupt recordings, or pivot to internal networks. The vulnerability does not require authentication, significantly increasing its risk level. Exploitation is trivial for attackers with access to the system's web interface.

The technical root of the issue lies in the upgrade_handle.php script, which accepts a `uploaddir` parameter as part of a GET request. By passing crafted values such as `';id;'`, an attacker can inject shell commands. The output of the command, including sensitive system details like UID and GID, is returned in the HTTP response. A successful response with HTTP status 200 and expected shell output confirms the vulnerability. No authentication or special headers are required to exploit this flaw. This allows automated scanning and exploitation at scale.

If exploited, the vulnerability enables complete remote code execution on affected NVRmini devices. An attacker could gain unauthorized access to stored video footage, disable cameras, or tamper with surveillance records. The compromised system can be further used as an entry point for broader attacks on internal infrastructure. It can also be leveraged in botnets for distributed denial-of-service (DDoS) campaigns. Loss of control over surveillance systems may result in compliance violations and physical security risks. The attacker can maintain persistence by uploading additional backdoors or modifying firmware settings.

REFERENCES

• https://www.exploit-db.com/exploits/45070
• https://www.cve.org/CVERecord?id=CVE-2018-14933
• https://nvd.nist.gov/vuln/detail/CVE-2018-14933