This vulnerability allows a remote, unauthenticated attacker to read arbitrary files on the device. By sending a specially crafted "GET ../" request, an attacker can access the system's configuration files.
Block inbound and outbound traffic to the
Check if the manufacturer (e.g., XiongMai) has released updated firmware that fixes CVE-2018-10088 .
This "out-of-the-box" configuration means that any user, including malicious actors, can access the administration panel of a device running this software. If the device is connected to the internet, it is susceptible to unauthorized access. 2. Security Vulnerabilities Associated with uc-httpd 1.0.0
This paper is for educational and defensive purposes only. Unauthorized access to systems using default credentials is illegal under computer fraud laws in most jurisdictions.
– block access to port 80/443 from untrusted networks.
While there is no single universal password for every device running this software, the most ubiquitous default credentials found in devices utilizing uc-httpd are:
– 80 (HTTP), 443 (HTTPS), 8080 (alternative)
According to technical advisories and security reports, the default credential pair enabled by default when HTTP basic authentication is activated on is: Username: admin Password: admin
Before testing credentials, confirm the version: