NUUO NVR Unauthenticated Remote Code Execution

Added: 12/11/2018

Background

NUUO is a surveillance solution provider.

Problem

The upgrade_handle.php on NUUO NVRsolo, NVRsolo Plus, and NVRmini 2 devices allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

Resolution

Upgrade to the appropriate firmware version.

References

https://www.exploit-db.com/exploits/45070

Limitations

Exploit works on NUUO's NVRsolo, NVRsolo Plus, and NVRMini 2 3.8.0 and below.

Platforms

Linux

Back to exploit index