cbcvebase.
CVE-2017-7577
published 2017-04-07

CVE-2017-7577: XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
28.75%
97.9th percentile
XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.

Detection & IOCsextracted from sources · hover to see the quote

pathmnt/mtd/Config/Account1
pathmnt/custom/ProductDefinition
commandGET ../
snort
alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for User Details - Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/mtd/Config/Account1"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041451; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_12_01;)
snort
alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for Product Details Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/custom/ProductDefinition"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041450; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_12_01;)
  • Exploit attempts target specific sensitive file paths via directory traversal in HTTP GET URIs; monitor for URIs ending with 'mnt/mtd/Config/Account1' (user credentials) or 'mnt/custom/ProductDefinition' (device info) on IoT/DVR devices.
  • The attack uses HTTP GET requests with '../' traversal sequences; detection should focus on inbound HTTP traffic from external networks to HTTP servers/home network devices.
  • ET SIDs 2041450 and 2041451 cover the two primary exploit paths (product details and account credential harvesting respectively); deploy at perimeter with low performance impact.
  • ·Snort rules use 'endswith' on the URI content match, meaning the traversal path must terminate the URI; payloads with trailing slashes or query strings may evade these signatures.
  • ·Rules are classified as confidence Medium and signature_severity Minor by Proofpoint Nexus; tune thresholds accordingly and do not rely solely on these signatures for high-confidence alerting.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.