A vulnerability research team at Digital Defense has discovered a zero-day vulnerability in the NUUO-powered internet-connected surveillance cameras, which could be easily tempered with footages and live feeds.
The bug dubbed “Peekaboo” affects firmware of Nuuo NVRmini 2 Network Video Recorder, which acts as a storage place for video recordings and gateway for admins and remote viewers.
According to reports, the flaw was caused by “improper sanitization of user-supplied inputs and lack of length checks on data used in unsafe string operations on local stack variables.”
The vulnerability allows hackers to gain remote access as an unauthenticated user, and then execute arbitrary code with root privileges. The attacker could harness the bug to access and modify camera feeds & recordings, but also to change the configuration and settings of cameras.
"Overflowing of the stack variable, which is intended to hold the request data, results in the overwriting of stored return addresses, and with a properly crafted payload, can be leveraged to achieve arbitrary code execution," Digital Defense says.
The vulnerability has been fixed, and researchers at Digital Defense appreciated the quick response of NUUO for providing fixes to the security issue.