Hackers could exploit zero-day bugs in surveillance cameras to manipulate footage

• The vulnerability affects all the products that use NUUO NVRmini2 firmware version 3.9.1 and prior.
• The bug can allow attackers to execute malicious code remotely after gaining root privileges to systems

A zero-day vulnerability was discovered in Nuuo’s surveillance firmware, which could enable hackers to take control over surveillance cameras and tamper with footage and live feeds. The vulnerability affects all the products that use NUUO NVRmini2 firmware version 3.9.1 and prior.

Researchers at Digital Defense discovered that the vulnerability is an unauthenticated remote buffer overflow flaw that can allow attackers to execute malicious code remotely after gaining root privileges to systems. The bug could also enable threat actors to configure the settings of the camera and modify its recordings and feeds.

In order to exploit the bug, a crafted GET request is sent to the devices using the vulnerable firmware. The specially-crafted request URI length should be 351 or more for a successful attack. This triggers the stack overflow condition in the devices.

“Overflowing of the stack variable, which is intended to hold the request data, results in the overwriting of stored return addresses, and with a properly crafted payload, can be leveraged to achieve arbitrary code execution,” the researchers said in a blog post.

The vulnerability affects all the products that use NUUO NVRmini2 firmware version 3.9.1 and prior. NUUO has responded to the issue quickly soon after its disclosure. The company has issued a patch to address the vulnerability.