Uc-httpd 1.0.0 Default Username Password

[Rosamunda Froats]

Whileinvestigating the recent large-scale DDoS attacks against targets including Krebs On Security and OVH, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511, respectively. These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China. This company sells white-labeled DVR, NVR and IP Camera boards and software to downstream vendors who then use it in their own products. Altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability.

The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist. Further exacerbating the issue, the Telnet service is also hardcoded into /etc/init.d/rcS (the primary service startup script), which is not easy to edit. The combination of the default service and hard-coded credentials has led to the assignment of CVE-2016-1000245 by the Distributed Weakness Filing Project.

The Internet of Things is a security nightmare, as proven by record 1 terabit per-second attacks last month. Vulnerable cameras and digital video recorders (DVRs) were hacked to create a massive botnet called Mirai, which was turned on targets to fill their web pipes with traffic and knock them offline - classic distributed denial of service (DDoS) attacks.

No single company was deemed responsible for all those vulnerable machines. Indeed, after the source code for their malware was released, investigative reporter Brian Krebs was able to list a host of camera manufacturers whose machines were targeted. Their mistake was one all too common in the IoT world: they used default passwords that were either previously-known or easily-guessable. Mirai would scan the internet for those machines and attempt to break in with those credentials.

But one researcher, Flashpoint's Zachary Wikholm, today claimed to have found a single Chinese firm, Hangzhou XiongMai Technologies (XM), that shipped flawed code allowing the perpetrators to potentially amass nearly half a million bots for their malicious network. Whilst other manufacturers, like China's Dahua, saw their kit compromised, Wikholm believes XM tech was compromised far more. "Flashpoint's analysis on the attack data shows ... a very large percentage of these IPs involved in the DDoS attacks were hosting XiongMai Technologies-based products," he wrote in a blog post today.

XM creates software running on its own and partner manufacturers' cameras and DVRs, according to Wikholm. He discovered two significant weaknesses in XM software. First, the company had added default passwords for connections over Telnet, accessible to any hacker on the planet. And, said Wikholm, those passwords were widely known and easy to find with some Google searches.

He found an equally astonishing vulnerability on the XM web app for connected cameras. Though the login over XM's NetSurveillance portal required a username and password, Wikholm discovered it was possible to entirely bypass the process by providing the IP address of a target device and adding "DVR.htm" to the end. That made the request for credentials entirely pointless and allowed anyone with a web connection to take control of the camera. "Any DVR, NVR or camera running the web software 'uc-httpd', especially version 1.0.0 is potentially vulnerable. Out of those, any that have the 'Expires: 0' field in their server header are vulnerable to both," Wikholm added.

Those weaknesses made it simple for hackers to build the Mirai botnet - deemed to be responsible for the attacks on gaming company Blizzard, Krebs's website and French hosting giant OVH. As many as 515,000 systems across 123 countries contained the XM code with the two vulnerabilities, Wikholm told FORBES. He believes most of those devices are now part of the Mirai botnet, though he cannot offer proof. A previous estimate from a security expert who goes by the name MalwareTech put infections at 120,000. That estimate was based on real-time infections MalwareTech recorded. The botnet is much bigger than that, claimed Flashpoint's researcher.

As indicated by a query on Internet of Things search engine Shodan, most of them are located in Vietnam, Brazil, Turkey and China. That chimes with data that showed much of the Mirai attack traffic came from those nations, though anti-DDoS vendor Akamai said Wednesday that most traffic came from China, whilst Wikholm found most of the vulnerable XM-based devices were located in Vietnam.

As XM shipped vulnerable kit, a number of the camera manufacturers targeted by Mirai had already taken steps to protect their kit, including enforcement of a strong password. According to Krebs, Samsung and Panasonic had both done just that.

Though enforcing strong passwords would help in most cases, with the XM kit, there is no option to change those credentials as the Telnet login is hardcoded in. That means only a firmware rewrite on the manufacturer side would solve the issue, said Wikholm. A true fix would require not only XM to update its software, but all of its partner manufacturers too. They'd also have to have an over-the-air update capability. Put simply, Wikholm told me, it'd be a huge task to secure these devices and take a serious chunk out of the Mirai botnet.

My problem is that I am still asked for my github password and passphrase when cloning a repository (using SSH). My understanding was that after I set up this SSH key, I would no longer have to do that.

As @dennis points out in the comments, to persist the passphrase through restarts by storing it in your keychain, you can use the --apple-use-keychain option (-k for Ubuntu) when adding the identity like this:

If you're correctly using SSH when cloning / setting remotes: make sure you have a ssh-agent to remember your password (see this answer by @Komu). That way, you'll only enter your passphrase once by terminal session.

What I found out from reading this OpenRadar and this Twitter discussion was that Apple purposely changed the behaviour for ssh-agent in macOS 10.12 Sierra to no longer automatically load the previous SSH keys. In order to maintain the same behaviour as El Capitan I did the following:

Don't use https, if your remote is using https then it will keep asking for password, even If you have added the public key to Github and added private key to ssh-agent. Below will always ask for password

Note: You will have to do this again after every restart. If you want to avoid it, then enter it in your ".bashrc" file which is in C:\Users\\.bashrc on windows. It is probably hidden, so make sure that you can see hidden files.

For Mac OSX Sierra, I found that the fixes suggested in the github issue for Open Radar fixed my problem. Seems like Sierra changed the default behavior (I started having this problem after upgrading).

I recently upgraded to macOS Mojave, and installed some tools via homebrew, which seemed to swap Apple's version of ssh-add for the different one. My default version of ssh-add did not have the -K option. This led to the following error:

Make sure you have the default key name id_rsa in the .ssh directory. You might have specified some different keyname when generating the key with ssh-keygen command or maybe there isn't any key at all).

The next time you clone an HTTPS url, you'll be prompted for the username/password, and to grant access to the OSX keychain. After you do this the first time, it should be saved in your keychain and you won't have to type it in again.

Note1: This documentation warns about some peculiarities when working with the GIT_SHH environment variable settings. I can push, pull, fetch with any number of additional parameters to the command and everything works just fine for me (without any need to write an extra script as suggested therein).

I'd like to add an answer for those who may still need to enter thepassword because they have setIdentitiesOnly as yes. This may cause by multiple keys and the identity file, being keys for git or server.

Host is the name you'd like to enter when you connect to the serverlater; the HostName is the server's ip or domain like github.com; User is the user name you login the server like the user name or git for github or gitlab; and the IdentityFile is the file where you store thekey you have generated.

You can use additional configuration parameters for the "config" file host entry. These can be found in your local git installation folder, e.g. "C:\Program Files\Git\etc\ssh\ssh_config". Excerpt:

See this github doc to convert remote's URL from https to ssh. To check if remote's URL is ssh or https, use git remote -v. To switch from https to ssh: git remote set-url origin [email protected]:USERNAME/REPOSITORY.git @jeeYem

If you applied for admission but have not created a MyUCR password, please locate the email sent to you from UCR Undergraduate Admissions. The email contains log in instructions and a link to create a password. If you have already tried to create a password using that link but were unsuccessful, please contact BearHelp at (951) 827-4848 (IT4U).

Beginning in September 2023, your preferred name will now be the default name that appears when you interact with campus departments. This applies to both you (as a student) and any family you give access to.

This information is accurate and reliable at time of posting but may change without notice. Please contact Undergraduate Admissions for the most up-to-date information. Learn about our privacy policy.

3a8082e126