On September 18, 2018, Tenable announced on its official website that the NVRMini2 device management system developed by NUUO has a buffer overflow vulnerability (code name: Peekaboo, CVE-2018-1149). The vulnerability, which threatens hundreds of thousands of camera devices across more than 100 brands worldwide, has been detected for the first time as malicious code being used to spread across the Internet.
Details of vulnerability
The NVRMini2 is a lightweight and portable NVR solution with NAS capabilities provided by NUUO for use in the retail, transportation, education, government and banking industries. The Common Gateway Interface protocol (CGI) of the Web service it uses does not strictly verify cookie parameters, which allows an attacker to run a stack buffer overflow attack on sprintf functions by inputting a large amount of malicious code, eventually causing the attacker to remotely execute arbitrary commands as root or administrator. Accessing current video streams and historical stored files, manipulating devices to mine, and executing DDoS attack commands pose serious risks to data privacy and network security.
Peekaboo’s vulnerability was widespread, affecting more than 100 brands, 2,500 different camera models and hundreds of thousands of devices, according to public filings. Currently, a search using “Nuuo-NVRmini” on the FOFA system found that the latest data shows a total of 19,662 exposed to the Internet worldwide. Its distribution is shown in the figure below:
The United States, Germany and Japan used the most. In addition, the attacker also added SSH burst in the module, so that the Trojan can be worm spread, a larger range of influence.
Analysis of attack process
• Malicious code first attempts to get the device to download a malicious shell file and execute it using the payload as follows:
• The Worldwest-sh script is divided into two modules, one for mining and the other for scanning propagation.
• Mining module adopts Github open source mining Trojan, which will not be described here.
• The scanning module mainly consists of two parts: CPConnectzMap * scans port 80 and uses Peekaboo vulnerability for secondary propagation; the other part bruteforce_sSH__ * explodes SSH service.
IOC
• Scan sources currently captured
• C2 at the control end
• sample MD5
About Tencent Blade Team
Founded by Tencent Security Platform Department, Tencent Blade Team focuses on security research in cutting-edge technology fields such as AI, mobile Internet, IoT, cloud security, radio and so on. So far, Tencent Blade Team has reported more than 70 security vulnerabilities from well-known international manufacturers such as Google, Apple and Adobe, which has been widely recognized by the Internet industry, manufacturers and the international security community. In the future, Tencent Blade Team will continue to be committed to escorting the development of Internet and technology.