IoT Threat Advisory: CVE-2017-7577

CVSSv2 Score: 5.0 - 10 (conditional)

SecurityScorecard Research and Development DepartmentAugust 9, 2017

Overview

As of July 31, 2017, SecurityScorecard has identified 205,390 IoT devices on the public internet (IPv4) which are currently vulnerable to remote exploitation via CVE-2017-7577- a publicly known vulnerability that can allow hackers to look for, and eventually gain access to, sensitive files.

Fig 1 - Global IoT Vulnerabilities: CVE-2017-7577 : 205,390 unique IPv4 addresses : July 31, 2017

By exploiting CVE-2017-7577, attackers can read arbitrary files and directory structures on vulnerable IoT devices through the http interface- this exploit is known as 'directory traversal.' Notably, this vulnerability also allows the hacker to capture the root password hash and any stored files. Furthermore, CVE-2017-7577 affects IoT devices running the XiongMai uc-httpd v1.0 web server, an embedded http service included with many IoT products, such as webcams and DVRs.

In other words, depending on how the network is set up, an attack that exploits CVE-2017-7577 can result in complete access and a complete compromise of the security and availability of the affected device (i.e. a hacker could potentially get the photos, videos, and audio files from your webcam).

This threat advisory takes a deep dive into:

The risk and potential impact of CVE-2017-7577
The results of SecurityScorecard’s CVE-2017-7577 analysis with a focus on the Mirai Botnet
The CVE-2017-7577 proof of concept (PoC)

Understanding the risk and potential impact of CVE-2017-7577

Before exploring the how the exploit works or how widespread it is, it’s important contextualize CVE-2017-7577 in terms of potential risk. By looking at the NIST CVSSv2 risk score, we can get a high level understanding of the impact that an affected device could suffer. The NIST CVSSv2 risk score for CVE-2017-7577 is variable between 5.0 (Medium) and 10 (High) depending on the availability of additional conditions. Looking at both ends of the spectrum to understand impact, we see the following:

Medium Risk Analysis - 5.0 - (AV:N/AC:L/Au:N/C:P/I:N/A:N)The impact to Confidentiality is ‘Partial’ for CVE-2017-7577 when there are no other login services available (such as Telnet, FTP, SSH, etc). In this case, attackers are only able to reach files - such as password files and stored content - from the IoT device itself.

High Risk Analysis - 10.0 - (AV:N/AC:L/Au:N/C:C/I:C/A:N)The impact to Confidentiality and Integrity is ‘Complete’ for CVE-2017-7577 when there is an additional login service available (such as Telnet, FTP, SSH, etc). This allows attackers to login to the device as root after obtaining the leaking root password. Once the attacker has root to the device, all confidentiality, integrity, and availability is completely compromised.

Results of SecurityScorecard’s CVE-2017-7577 analysis

The SecurityScorecard team analyzed all discovered IPv4 addresses that were identified as vulnerable to CVE-2017-7577. The IPv4 addresses were then mapped to the domain name of the affected enterprise using the SecurityScorecard IP attribution engine, which attempts to map IPv4 addresses to business domain names through the analysis of multiple available public indicators.The results were as follows:

205,390 IPv4 addresses were identified as IoT devices vulnerable to CVE-2017-7577 as of July 31, 2017. (See Fig 1 for Heatmap)

There is a growing reliance on IoT technologies across the board. Figure 6 and Figure 7 indicate the numbers of mapped domain names that are impacted by CVE-2017-7577.

93.56% (192,956) of IP addresses vulnerable to CVE-2017-7577 do not have telnet exposed- likely an indicator of an attempt to prevent automated IoT attacks, like the Mirai botnet. (See Figure 8)

Fig. 7 - Number of Domains Vulnerable to CVE-2017-7577 vs Attributed Industry

Fig 8 - IPv4 Vulnerable to CVE-2017-7577: Telnet blocked (93.6%) vs Telnet Exposed (6.4%)

Results of SecurityScorecard’s CVE-2017-7577 Analysis: A Focus on the Mirai Botnet

Vulnerabilities in XiongMai IoT devices are not a new concept. With their use of the legacy telnet protocol and hardcoded/default passwords, these devices were successfully targeted for exploitation by the Mirai botnet throughout 2016. The SecurityScorecard team took a look at the Mirai botnet activity over the past two years and found the following:

163,458 unique IoT IP addresses of various manufactures were identified by SSC Honeypots as propagating the Mirai botnet (based on unique payload analysis, propagation behavior, and source IP analysis) from January 2016 - August 3, 2017.

The IPv4 addresses identified within the SSC Honeypots had transmitted payloads to telnet ports (port 23) that matched attempted unique login sequences that matched the hex payloads from the Mirai botnet source code (GitHub: Mirai Botnet - scanner.c)

There was a massive spike in activity telnet attack activity during July 2016, indicating the launch of the first major Mirai campaigns.

There has a been steady decline in Mirai attack activity from March 2017 - July 2017 indicating that the auto-propagating worm features of the Mirai botnet have slowed down. This is likely due to a number of reasons, including the availability of patches that change default passwords and disable telnet access, end users proactively disabling telnet access, and other malware families that may auto-propagate and change passwords and/or disable telnet to prevent additional attacks.

Fig 9 - Statistics - SSC Honeypot Logs - Mirai botnet telnet probes by month and unique IP address

Fig 10 - Line Graph - SSC Honeypot Logs -: Mirai botnet telnet probes by month and unique IP address

Fig 11 - Heatmap - SSC Honeypot Logs - Source IPv4 Mirai botnet telnet probes January 2016 - July 31, 2017

4.79% of 205,390 IP addresses vulnerable to CVE-2017-7577 were identified as having been infected by Mirai between March 2016 and July 2017.

9857 of IP addresses confirmed vulnerable to CVE-2017-7577 appeared in Honeypot logs using payloads against the telnet protocol unique to the Mirai malware family. See Figure 12.
- The list of IP addresses that were identified as vulnerable to CVE-2017-7577 were compared to the incoming malicious IP addresses that had been captured by SecurityScorecard Honeypot Logs. The objective was to see how many IP addresses that are still vulnerable to CVE-2017-7577 have already been exploited by the Mirai botnet. The SSC team found 9,857 IP addresses that were in both data sets, indicating that 4.79% of IP addresses currently vulnerable to CVE-2017-were observed having already been exploited and participating in the Mirai botnet.

A significant portion of XiongMai uc-httpd IoT devices vulnerable to CVE-2017-7577 may have been spared from being recruited into the Mirai botnet by blocking telnet access on port 23. However, all exposed devices are still at risk for future exploitation via data theft, use of leaking credentials and/or the discovery of unknown 0day RCE exploit against the uc-httpd application.

Fig 12 - Heatmap - SSC Honeypot Logs - Mirai source IPv4 vulnerable to CVE-2017-7577 as of July 2017

About the XiongMai uc-httpd interface

XiongMai uc-httpd software is typically configured to run on common http ports of IoT hardware, such as port 80 and port 81.

XiongMai uc-http services host the web application interface used for IoT device configuration.
The XiongMai uc-http web application interface uses a weak numerical default password. While users are encouraged to change the password after deployment, it’s apparent by the findings within this report that manufacturer advice often goes unheeded.

Fig 2 - XiongMai uc-http web application interface

A look at the CVE-2017-7577 Proof of Concept (PoC)

On April 3, 2017 a working proof of concept exploit was released for CVE-2017-7577 by the research group ‘Insecurity Zone’ (Fig 3).

The CVE-2017-7757 exploit code takes advantage of an OWASP Top 10 vulnerability, ‘Path Traversal,’ that is present within the uc-httpd software.

When an application is vulnerable to path traversal, it accepts user input without any validation of the location of the file being referenced. This condition allows attackers to use the “dot-dot-slash” file structure in a GET request to access files that are outside the web application file system.

The exploitable condition is made more severe, because uc-httpd v1.0 is running with root permissions on all IoT devices. This allows HTTPs requests to access all portions of the file system without restriction.

Fig 3 - CVE-2017-7577 PoC by Insecurity Zone- FULL: https://www.exploit-db.com/exp...

Arbitrary File Read

Attackers can use CVE-2017-7577 to access /etc/passwd of XiongMai uc-httpd IoT devices and obtain the root password hash, which is often still set to the default of ‘xc3511’.

When an additional service is accessible (telnet, FTP, SSH) attackers can login as root and completely compromise the device.

Fig. 4 - CVE-2017-7577 PoC python script reading /etc/passwd

Dumping /etc/passwd file

Cracked hash reveals default hardcoded root password - xc3511

Directory Traversal

Attackers can use CVE-2017-7577 to browse the file system of a XiongMai uc-httpd IoT device and discover the locations of stored files, such as pictures, audio, and video.
- When an attacker discovers a file of interest, they are able to request the file via the Arbitrary File Read functionality of vulnerability.

Fig 5 - CVE-2017-7577 PoC python script showing filesystem

Looking to the future of IoT Threats

Remediation and Mitigation of CVE-2017-7577

In the immediate future, those companies with IoT devices currently vulnerable to remote exploitation via CVE-2017-7577 should take steps to remediate and mitigate by:

Segmenting consumer IoT devices from the public internet, especially if the device is making use of XiongMai uc-httpd v1.
Consider retiring IoT hardware that running uc-httpd v1.
(For SecurityScorecard customers) Looking at the ‘Analyst Tab’ on the SecurityScorecard profile for their company and portfolio companies to see if anyone in the supply chain has been affected by CVE-2017-7577 or Mirai botnet. All IPv4 addresses identified as vulnerable to CVE-2017-7577 will be mapped to the digital footprint of enterprise networks and will be visible in the ‘Analyst Tab’ of the SecurityScorecard platform. All IPv4 addresses identified within SSC Honeypots as being impacted by the Mirai botnet will be mapped to the digital footprint of enterprise networks and will be visible in the ‘Analyst Tab’ of the SecurityScorecard platform.

The Continuing Evolution of IoT Threats

Thinking further into the future about the state of IoT, it’s clear that as enterprises rely increasingly on IoT devices, hackers will continue to find ways of taking advantage of a larger attack surface.

While, the first iteration of widespread IoT attacks came in the form Mirai, the attack surface for these types of exploitation campaigns will close over time as manufacturers avoid the use of telnet and users are more informed about the risks of exposed telnet ports, as indicated by the data presented the Focus on Mirai section of this advisory. However, attackers will inevitably adapt.

It’s likely that attackers will increasingly began to leverage web application vulnerabilities as entry points against IoT devices as observed with CVE-2017-7577, and the use of simplified embedded software to host web applications will see an increase in attacks such as SQL injection (SQLi), remote code execution (RCE), local file inclusion (LFI) and remote file inclusion (RFI), and potentially buffer overflows depending on the protocols used.

Additionally, the increasing functionalities of IoT hardware create additional attack surfaces, such as the use of custom services or protocols. Many IoT devices support SOAP services, API access, and UDP communications. These communication vectors provide additional ways for users to input data, and consequently, increase the risk of unauthorized access or arbitrary code execution if the protocols are implemented without security in mind. It’s important to remember that companies also have to worry not just about their own IoT attack surface, but also the additional targets created by their vendors’ IoT devices.

As IoT threats evolve, it is pivotal for enterprises to develop a risk management and monitoring system that addresses the complexities of the IoT landscape- a landscape made more complicated by dynamic attack vectors, a patchwork of new industry standards, and compounded risks created by the growing risk ecosystem of companies.

Appendix

Here are some web resources that we came across while while compiling the research for this advisory.

CVE-2017-7577 Information

http://www.cvedetails.com/cve/CVE-2017-7577/https://vulners.com/packetstorm/PACKETSTORM:142131 https://www.exploit-db.com/exploits/42085/https://packetstormsecurity.com/files/142131/uc-httpd-directory-traversal.txt

OSINT References - IoT, uc-httpd, & Mirai botnet

https://krebsonsecurity.com/tag/xiongmai-technologies/https://securityledger.com/2016/10/shoddy-supply-chain-lurks-behind-mirai-botnet/https://www.flashpoint-intel.com/wp-content/uploads/2016/10/Technical-Advisory.pdf http://developers-club.com/posts/173501/https://habrahabr.ru/post/173501/https://habrahabr.ru/post/315266/http://www.stuff.za.net/2016/05/notes-on-hacking-an-aprica-8-channel-cctv/https://lfto.me/reverse-engineering-dvr-firmware/https://github.com/jgamblin/Mirai-Source-Code https://en.wikipedia.org/wiki/Mirai_(malware)