When Vulnerabilities Travel Downstream

October 7, 2016

CVEs Assigned to Upstream Devices Exploited by Mirai IoT Botnet

While investigating the recent large-scale DDoS attacks against targets including Krebs On Security and OVH, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511, respectively. These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China. This company sells white-labeled DVR, NVR and IP Camera boards and software to downstream vendors who then use it in their own products. Altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability.

The default login page of Xiongmai Technologies “Netsurveillance” and “CMS” software. The download link for the older CMS binary is in the config.js file.
Image 1: The default login page of Xiongmai Technologies “Netsurveillance” and “CMS” software. The download link for the older CMS binary is in the config.js file.

Why are default credentials such a bad thing?

Default credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or a remote login services like Telnet or SSH, default credentials may pose a great risk to a device. In this case, the default credentials can be used to “Telnet” to the device. This tactic turns vulnerable devices into “bots” in a botnet. These credentials have been targeted for quite some time, but on a significantly smaller scale than that of the Mirai Botnet. In fact, the majority of media coverage surrounding Mirai has outed Dahua products as a primary source of compromised devices. However, Flashpoint’s analysis on the attack data shows that while Dahua devices are indeed being compromised, a very large percentage of these  IP involved in the DDoS attacks were hosting XiongMai Technologies-based products. The Dahua devices were identified early because of their distinctive interface and recent use in other botnets. Utilizing the “Low Impact Identification Tool” or LIFT, Flashpoint was able to identify a large number of these devices in the attack data provided.

The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist. Further exacerbating the issue, the Telnet service is also hardcoded into /etc/init.d/rcS (the primary service startup script), which is not easy to edit. The combination of the default service and hard-coded credentials has led to the assignment of CVE-2016-1000245 by the Distributed Weakness Filing Project.

Web Authentication Vulnerabilities Uncovered

During the investigation, Flashpoint identified an additional vulnerability. There is a trivial web authentication bypass present on all devices running XiongMai Technologies “CMS” or “NetSurveillance” software. The login URL for the device, http://<IP_address_of_device>/Login.htm, prompts for a username and password. Once the user logs in, the URL does not change but instead loads a second page: DVR.htm. While researching CVE-2016-1000245, Flashpoint identified a vulnerability that the web authentication can be bypassed by navigating to DVR.htm prior to login. This vulnerability has been assigned CVE-2016-1000246. It should be noted, both vulnerabilities appear in the same devices. Any DVR, NVR or Camera running the web software “uc-httpd”, especially version 1.0.0 is potentially vulnerable. Out of those, any that have the “Expires: 0” field in their server header are vulnerable to both.

Utilizing Shodan, a search engine for online devices, the number of affected devices becomes apparent. As of September 23, the height of the attacks, there are over 560,000 devices running uc-httpd web server software. However, according to a September 28 search with the addition of “Expires: 0”, nearly 470,000 devices have been confirmed vulnerable to both CVEs. Therefore, out of all uc-httpd 1.0.0 devices in the world as of October 6, over 515,000 are vulnerable.

Final Notes

Large-scale DDoS attacks can potentially cause widespread negative effects for both IoT manufacturers and retailers. As such, IoT manufacturers are encouraged to consider security in the early stages of product development to help proactively reduce their risk. Since default passwords with default services contributed to device vulnerabilities during recent attacks, manufacturers may want to adjust these specifications in future product designs. Regarding IoT retailers, the primary concern is the potential damage to brand reputation following an attack. In order to help mitigate this risk, retailers are encouraged to work closely with manufacturers to establish and uphold security standards for IoT devices. Flashpoint’s observations following these recent attacks underscore the importance of IoT vulnerability risk awareness for both retailers and manufacturers.

The complete technical advisory is available here: https://www.flashpoint-intel.com/wp-content/uploads/2016/10/Technical-Advisory.pdf