Posted on Aug 8, 2017
IoT Threat Advisory: CVE-2017-7577
CVSSv2 Score: 5.0 - 10 (conditional)
SecurityScorecard Research and Development Department August 9, 2017
As of July 31, 2017, SecurityScorecard has identified 205,390 IoT devices on the public internet (IPv4) which are currently vulnerable to remote exploitation via CVE-2017-7577- a publicly known vulnerability that can allow hackers to look for, and eventually gain access to, sensitive files.
By exploiting CVE-2017-7577, attackers can read arbitrary files and directory structures on vulnerable IoT devices through the http interface- this exploit is known as 'directory traversal.' Notably, this vulnerability also allows the hacker to capture the root password hash and any stored files. Furthermore, CVE-2017-7577 affects IoT devices running the XiongMai uc-httpd v1.0 web server, an embedded http service included with many IoT products, such as webcams and DVRs.
In other words, depending on how the network is set up, an attack that exploits CVE-2017-7577 can result in complete access and a complete compromise of the security and availability of the affected device (i.e. a hacker could potentially get the photos, videos, and audio files from your webcam).
This threat advisory takes a deep dive into:
Understanding the risk and potential impact of CVE-2017-7577
Before exploring the how the exploit works or how widespread it is, it’s important contextualize CVE-2017-7577 in terms of potential risk. By looking at the NIST CVSSv2 risk score, we can get a high level understanding of the impact that an affected device could suffer. The NIST CVSSv2 risk score for CVE-2017-7577 is variable between 5.0 (Medium) and 10 (High) depending on the availability of additional conditions. Looking at both ends of the spectrum to understand impact, we see the following:
Results of SecurityScorecard’s CVE-2017-7577 analysis
The SecurityScorecard team analyzed all discovered IPv4 addresses that were identified as vulnerable to CVE-2017-7577. The IPv4 addresses were then mapped to the domain name of the affected enterprise using the SecurityScorecard IP attribution engine, which attempts to map IPv4 addresses to business domain names through the analysis of multiple available public indicators.The results were as follows:
Fig. 7 - Number of Domains Vulnerable to CVE-2017-7577 vs Attributed Industry
Fig 8 - IPv4 Vulnerable to CVE-2017-7577: Telnet blocked (93.6%) vs Telnet Exposed (6.4%)
Results of SecurityScorecard’s CVE-2017-7577 Analysis: A Focus on the Mirai Botnet
Vulnerabilities in XiongMai IoT devices are not a new concept. With their use of the legacy telnet protocol and hardcoded/default passwords, these devices were successfully targeted for exploitation by the Mirai botnet throughout 2016. The SecurityScorecard team took a look at the Mirai botnet activity over the past two years and found the following:
Fig 9 - Statistics - SSC Honeypot Logs - Mirai botnet telnet probes by month and unique IP address
Fig 10 - Line Graph - SSC Honeypot Logs -: Mirai botnet telnet probes by month and unique IP address
Fig 11 - Heatmap - SSC Honeypot Logs - Source IPv4 Mirai botnet telnet probes January 2016 - July 31, 2017
Fig 12 - Heatmap - SSC Honeypot Logs - Mirai source IPv4 vulnerable to CVE-2017-7577 as of July 2017
XiongMai uc-httpd software is typically configured to run on common http ports of IoT hardware, such as port 80 and port 81.
Fig 2 - XiongMai uc-http web application interface
The CVE-2017-7757 exploit code takes advantage of an OWASP Top 10 vulnerability, ‘Path Traversal,’ that is present within the uc-httpd software.
When an application is vulnerable to path traversal, it accepts user input without any validation of the location of the file being referenced. This condition allows attackers to use the “dot-dot-slash” file structure in a GET request to access files that are outside the web application file system.
The exploitable condition is made more severe, because uc-httpd v1.0 is running with root permissions on all IoT devices. This allows HTTPs requests to access all portions of the file system without restriction.
Fig 3 - CVE-2017-7577 PoC by Insecurity Zone- FULL: https://www.exploit-db.com/exp...
Arbitrary File Read
Fig. 4 - CVE-2017-7577 PoC python script reading /etc/passwd
Fig 5 - CVE-2017-7577 PoC python script showing filesystem
In the immediate future, those companies with IoT devices currently vulnerable to remote exploitation via CVE-2017-7577 should take steps to remediate and mitigate by:
Thinking further into the future about the state of IoT, it’s clear that as enterprises rely increasingly on IoT devices, hackers will continue to find ways of taking advantage of a larger attack surface.
While, the first iteration of widespread IoT attacks came in the form Mirai, the attack surface for these types of exploitation campaigns will close over time as manufacturers avoid the use of telnet and users are more informed about the risks of exposed telnet ports, as indicated by the data presented the Focus on Mirai section of this advisory. However, attackers will inevitably adapt.
It’s likely that attackers will increasingly began to leverage web application vulnerabilities as entry points against IoT devices as observed with CVE-2017-7577, and the use of simplified embedded software to host web applications will see an increase in attacks such as SQL injection (SQLi), remote code execution (RCE), local file inclusion (LFI) and remote file inclusion (RFI), and potentially buffer overflows depending on the protocols used.
Additionally, the increasing functionalities of IoT hardware create additional attack surfaces, such as the use of custom services or protocols. Many IoT devices support SOAP services, API access, and UDP communications. These communication vectors provide additional ways for users to input data, and consequently, increase the risk of unauthorized access or arbitrary code execution if the protocols are implemented without security in mind. It’s important to remember that companies also have to worry not just about their own IoT attack surface, but also the additional targets created by their vendors’ IoT devices.
As IoT threats evolve, it is pivotal for enterprises to develop a risk management and monitoring system that addresses the complexities of the IoT landscape- a landscape made more complicated by dynamic attack vectors, a patchwork of new industry standards, and compounded risks created by the growing risk ecosystem of companies.
Here are some web resources that we came across while while compiling the research for this advisory.
|http://www.cvedetails.com/cve/CVE-2017-7577/ https://vulners.com/packetstorm/PACKETSTORM:142131 https://www.exploit-db.com/exploits/42085/ https://packetstormsecurity.com/files/142131/uc-httpd-directory-traversal.txt|
|https://krebsonsecurity.com/tag/xiongmai-technologies/ https://securityledger.com/2016/10/shoddy-supply-chain-lurks-behind-mirai-botnet/ https://www.flashpoint-intel.com/wp-content/uploads/2016/10/Technical-Advisory.pdf http://developers-club.com/posts/173501/ https://habrahabr.ru/post/173501/ https://habrahabr.ru/post/315266/ http://www.stuff.za.net/2016/05/notes-on-hacking-an-aprica-8-channel-cctv/ https://lfto.me/reverse-engineering-dvr-firmware/ https://github.com/jgamblin/Mirai-Source-Code https://en.wikipedia.org/wiki/Mirai_(malware)|
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.