Responsible Disclosure: XiongMai uc-httpd 1.0.0 – Buffer Overflow

As part of his MSc Project, Andrew Watson discovered a previously unknown buffer overflow vulnerability in ‘XiongMai uc-httpd 1.0.0’ – a web server used in multiple IoT devices including routers, CCTV cameras and DVR’s. Following best practice and with the full support of RHUL ISG, he attempted responsible disclosure to assist XiongMai in fixing the vulnerability, but unfortunately the company did not respond to any of the multiple attempts to discuss the vulnerability with them. After 111days of no responses, he released the 0day exploit publicly, further details available here.

The vulnerability (CVE ID: CVE-2018-10088) has since been given a CVSS score of 10.0 – the highest any vulnerability can score.

Andrew’s Proof of Concept exploit (PoC) was accepted to the Offensive Security Exploit Database as EDB-ID: 44864 and is also included in Kali Linux via the SearchSploit tool.

Soon after the PoC exploit was publicly released, it was reported that the Satori Botnet integrated the PoC exploit into their botnet code. Quoting Security Affairs: “The code recently included in the Satori botnet exploits a buffer overflow vulnerability, tracked as CVE-2018-10088, in XionMai uc-httpd 1.0.0. The exploit could be used by remote attackers to execute arbitrary code by sending a malformed package via ports 80 or 8000.”

The vulnerability was also reported by Bleeping Computer: “The sudden surge in port 8000 activity turned the heads of multiple security experts specialized in botnet tracking, as it came out of nowhere and at an incredible scale”.