uc-httpd 1.0.0
tcp/80
This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b9ef7d2d583a0925683a0925683a0925683a09256
Found HiSiliconDVR firmware: Hardware: General TVI9708H_H Vulnerable to multiple issues : LFI, possibly RCE
Open service 88.225.230.122:80
2024-11-01 22:02
HTTP/1.1 200 OK Content-type: application/octet-stream Server: uc-httpd/1.0.0 Cache-Control: max-age=864000 Connection: Close <H1>Index of /mnt/web</H1> <H1>Index of /mnt/web</H1>
Open service 88.225.230.122:80
2024-10-31 21:31
HTTP/1.1 200 OK Content-type: application/octet-stream Server: uc-httpd/1.0.0 Cache-Control: max-age=864000 Connection: Close <H1>Index of /mnt/web</H1> <H1>Index of /mnt/web</H1>
Open service 88.225.230.122:80
2024-10-29 21:41
HTTP/1.1 200 OK Content-type: application/octet-stream Server: uc-httpd/1.0.0 Cache-Control: max-age=864000 Connection: Close <H1>Index of /mnt/web</H1> <H1>Index of /mnt/web</H1>
Open service 88.225.230.122:80
2024-10-29 00:59
HTTP/1.1 200 OK Content-type: application/octet-stream Server: uc-httpd/1.0.0 Cache-Control: max-age=864000 Connection: Close <H1>Index of /mnt/web</H1> <H1>Index of /mnt/web</H1>
Open service 88.225.230.122:80
2024-10-21 20:23
HTTP/1.1 200 OK Content-type: application/octet-stream Server: uc-httpd/1.0.0 Cache-Control: max-age=864000 Connection: Close <H1>Index of /mnt/web</H1> <H1>Index of /mnt/web</H1>
Open service 88.225.230.122:80
2024-10-19 22:55
HTTP/1.1 200 OK Content-type: application/octet-stream Server: uc-httpd/1.0.0 Cache-Control: max-age=864000 Connection: Close <H1>Index of /mnt/web</H1> <H1>Index of /mnt/web</H1>
Open service 88.225.230.122:80
2024-10-17 23:02
HTTP/1.1 200 OK Content-type: text/html Server: uc-httpd/1.0.0 Cache-Control: max-age=2592000 Connection: Close Page title: Web Client <!DOCTYPE html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <link rel="stylesheet" type="text/css" href="m.css" /> <title>Web Client</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(!(navigator.userAgent.indexOf("MSIE") >= 0 ||navigator.userAgent.indexOf("Trident") >=0)) { if(navigator.userAgent.indexOf("Mac OS X")>0)//mac操作系统 { location.href="Login.htm"; } else { location.href="Findex.htm"; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; var hostport=34567; var iLanguage=110; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_oldWinNum = g_channelNum; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var gHashCookie = new Hash.Cookie('WebClientCookie',{duration: 30}); var settings = { username:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; var gIntoZoom=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//这里有待选中消息的传递 { sldtopos(gslda,parseInt(0)); sldtopos(gsldb,parseInt(0)); sldtopos(gsldc,parseInt(0)); sldtopos(gsldd,parseInt(0)); setcolorsv(1,parseInt(0)); setcolorsv(2,parseInt(0)); setcolorsv(3,parseInt(0)); setcolorsv(4,parseInt(0)); } } function txreset(step){ setcolorsv(1,step); setcolorsv(2,step); setcolorsv(3,step); setcolorsv(4,step); sldtopos(gslda,step); sldtopos(gsldb,step); sldtopos(gsldc,step); sldtopos(gsldd,step); setcolors(); } function setcolors(){ ocx.SetColor(0,gca,gcb,gcc,gcd); } </script> <!-- 设备通道 --> <script type="text/javascript"> function tl(s){ var ret; ret=ocx.Translate(s); return ret; }//moving here for later function function ca(o,ch) { var oc; if ($(o).hasClass('cl1')){ if (ocx.StartRealPlay(ch,0,0)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl2'); } } else{ if (ocx.StopPlayReal(ch)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl1'); } } } function getcl(){ g_digitalChannel=ocx.GetDeviceState(1,0); var t= new Array(); var ts=new Array(); var titles=new Array(); titles[0]=tl('Desktop.LocalRecord'); titles[1]=tl('Desktop.ExtStream'); titles[2]=tl('Desktop.MainStream'); titles[3]=tl('Desktop.StartTalk'); titles[4]=tl('WebTitle.DigitalChannel'); var shtml=""; shtml+="<li id='Talk' ><a title='"+titles[3]+"' id='talking' class='noT' href='javascript:;' onclick='Ontalk()' ></a><span id='logoString' style='margin:0 5px 0 3px;'>NetSurveillance</span></li> " var strsplita=String.fromCharCode(16); var strsplitb=String.fromCharCode(9); var sc; sc=ocx.GetChannelName(); if (sc !=""){ sc=sc.substr(0, sc.l
Open service 88.225.230.122:80
2024-10-15 23:39
HTTP/1.1 200 OK Content-type: application/octet-stream Server: uc-httpd/1.0.0 Cache-Control: max-age=864000 Connection: Close <H1>Index of /mnt/web</H1> <H1>Index of /mnt/web</H1>
Open service 88.225.230.122:80
2024-10-01 22:43
HTTP/1.1 200 OK Content-type: text/html Server: uc-httpd/1.0.0 Cache-Control: max-age=2592000 Connection: Close Page title: Web Client <!DOCTYPE html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <link rel="stylesheet" type="text/css" href="m.css" /> <title>Web Client</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(!(navigator.userAgent.indexOf("MSIE") >= 0 ||navigator.userAgent.indexOf("Trident") >=0)) { if(navigator.userAgent.indexOf("Mac OS X")>0)//mac操作系统 { location.href="Login.htm"; } else { location.href="Findex.htm"; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; var hostport=34567; var iLanguage=110; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_oldWinNum = g_channelNum; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var gHashCookie = new Hash.Cookie('WebClientCookie',{duration: 30}); var settings = { username:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; var gIntoZoom=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//这里有待选中消息的传递 { sldtopos(gslda,parseInt(0)); sldtopos(gsldb,parseInt(0)); sldtopos(gsldc,parseInt(0)); sldtopos(gsldd,parseInt(0)); setcolorsv(1,parseInt(0)); setcolorsv(2,parseInt(0)); setcolorsv(3,parseInt(0)); setcolorsv(4,parseInt(0)); } } function txreset(step){ setcolorsv(1,step); setcolorsv(2,step); setcolorsv(3,step); setcolorsv(4,step); sldtopos(gslda,step); sldtopos(gsldb,step); sldtopos(gsldc,step); sldtopos(gsldd,step); setcolors(); } function setcolors(){ ocx.SetColor(0,gca,gcb,gcc,gcd); } </script> <!-- 设备通道 --> <script type="text/javascript"> function tl(s){ var ret; ret=ocx.Translate(s); return ret; }//moving here for later function function ca(o,ch) { var oc; if ($(o).hasClass('cl1')){ if (ocx.StartRealPlay(ch,0,0)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl2'); } } else{ if (ocx.StopPlayReal(ch)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl1'); } } } function getcl(){ g_digitalChannel=ocx.GetDeviceState(1,0); var t= new Array(); var ts=new Array(); var titles=new Array(); titles[0]=tl('Desktop.LocalRecord'); titles[1]=tl('Desktop.ExtStream'); titles[2]=tl('Desktop.MainStream'); titles[3]=tl('Desktop.StartTalk'); titles[4]=tl('WebTitle.DigitalChannel'); var shtml=""; shtml+="<li id='Talk' ><a title='"+titles[3]+"' id='talking' class='noT' href='javascript:;' onclick='Ontalk()' ></a><span id='logoString' style='margin:0 5px 0 3px;'>NetSurveillance</span></li> " var strsplita=String.fromCharCode(16); var strsplitb=String.fromCharCode(9); var sc; sc=ocx.GetChannelName(); if (sc !=""){ sc=sc.substr(0, sc.l
Open service 88.225.230.122:80
2024-09-29 23:10
HTTP/1.1 200 OK Content-type: text/html Server: uc-httpd/1.0.0 Cache-Control: max-age=2592000 Connection: Close Page title: Web Client <!DOCTYPE html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <link rel="stylesheet" type="text/css" href="m.css" /> <title>Web Client</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(!(navigator.userAgent.indexOf("MSIE") >= 0 ||navigator.userAgent.indexOf("Trident") >=0)) { if(navigator.userAgent.indexOf("Mac OS X")>0)//mac操作系统 { location.href="Login.htm"; } else { location.href="Findex.htm"; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; var hostport=34567; var iLanguage=110; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_oldWinNum = g_channelNum; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var gHashCookie = new Hash.Cookie('WebClientCookie',{duration: 30}); var settings = { username:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; var gIntoZoom=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//这里有待选中消息的传递 { sldtopos(gslda,parseInt(0)); sldtopos(gsldb,parseInt(0)); sldtopos(gsldc,parseInt(0)); sldtopos(gsldd,parseInt(0)); setcolorsv(1,parseInt(0)); setcolorsv(2,parseInt(0)); setcolorsv(3,parseInt(0)); setcolorsv(4,parseInt(0)); } } function txreset(step){ setcolorsv(1,step); setcolorsv(2,step); setcolorsv(3,step); setcolorsv(4,step); sldtopos(gslda,step); sldtopos(gsldb,step); sldtopos(gsldc,step); sldtopos(gsldd,step); setcolors(); } function setcolors(){ ocx.SetColor(0,gca,gcb,gcc,gcd); } </script> <!-- 设备通道 --> <script type="text/javascript"> function tl(s){ var ret; ret=ocx.Translate(s); return ret; }//moving here for later function function ca(o,ch) { var oc; if ($(o).hasClass('cl1')){ if (ocx.StartRealPlay(ch,0,0)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl2'); } } else{ if (ocx.StopPlayReal(ch)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl1'); } } } function getcl(){ g_digitalChannel=ocx.GetDeviceState(1,0); var t= new Array(); var ts=new Array(); var titles=new Array(); titles[0]=tl('Desktop.LocalRecord'); titles[1]=tl('Desktop.ExtStream'); titles[2]=tl('Desktop.MainStream'); titles[3]=tl('Desktop.StartTalk'); titles[4]=tl('WebTitle.DigitalChannel'); var shtml=""; shtml+="<li id='Talk' ><a title='"+titles[3]+"' id='talking' class='noT' href='javascript:;' onclick='Ontalk()' ></a><span id='logoString' style='margin:0 5px 0 3px;'>NetSurveillance</span></li> " var strsplita=String.fromCharCode(16); var strsplitb=String.fromCharCode(9); var sc; sc=ocx.GetChannelName(); if (sc !=""){ sc=sc.substr(0, sc.l
Open service 88.225.230.122:80
2024-09-27 20:59
HTTP/1.1 200 OK Content-type: text/html Server: uc-httpd/1.0.0 Cache-Control: max-age=2592000 Connection: Close Page title: Web Client <!DOCTYPE html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <link rel="stylesheet" type="text/css" href="m.css" /> <title>Web Client</title> <!-- m.js --> <script type="text/javascript" language="JavaScript"> if(!(navigator.userAgent.indexOf("MSIE") >= 0 ||navigator.userAgent.indexOf("Trident") >=0)) { if(navigator.userAgent.indexOf("Mac OS X")>0)//mac操作系统 { location.href="Login.htm"; } else { location.href="Findex.htm"; } } </script> <script type="text/javascript">//m.js var ipaddress =document.location.hostname; var hostport=34567; var iLanguage=110; </script> <script type="text/javascript" src="m.jsp"></script> <script type="text/javascript" src="config.js"></script> <!-- 全局变量 --> <script type="text/javascript"> var gExitChannel=new Array(); var gExitSubType=new Array(); var gexiti; var gcid=-1; var g_channelNum=4; var g_oldWinNum = g_channelNum; var g_digitalChannel=0; var gsld; var gslda; var gsldb; var gsldc; var gsldd; var gfmu1=0; var gfmu2=0; var gfmu3=0; var g_bRecord=false; var g_bRealPlay=false; var g_bAudio=false; var gHashCookie = new Hash.Cookie('WebClientCookie',{duration: 30}); var settings = { username:'' } var gca=0; var gcb=0; var gcc=0; var gcd=0; var gAutoPlayAll=false; var gIntoZoom=false; </script> <!-- 颜色滑块 --> <script type="text/javascript"> function sldtopos(sld,step){ sld.knob.setStyle('left', sld.toPosition(step)); } function setcolorsv(f,v){ switch (f) { case 1: gca=v; $('ska').title=v; break; case 2: gcb=v; $('skb').title=v; break; case 3: gcc=v; $('skc').title=v; break; case 4: gcd=v; $('skd').title=v; break; } } function getcolors(){ var colors=""; colors=ocx.GetColor(); var t= new Array(); if (colors !="") { t=colors.split(','); sldtopos(gslda,parseInt(t[0])); sldtopos(gsldb,parseInt(t[1])); sldtopos(gsldc,parseInt(t[2])); sldtopos(gsldd,parseInt(t[3])); setcolorsv(1,parseInt(t[0])); setcolorsv(2,parseInt(t[1])); setcolorsv(3,parseInt(t[2])); setcolorsv(4,parseInt(t[3])); } else//这里有待选中消息的传递 { sldtopos(gslda,parseInt(0)); sldtopos(gsldb,parseInt(0)); sldtopos(gsldc,parseInt(0)); sldtopos(gsldd,parseInt(0)); setcolorsv(1,parseInt(0)); setcolorsv(2,parseInt(0)); setcolorsv(3,parseInt(0)); setcolorsv(4,parseInt(0)); } } function txreset(step){ setcolorsv(1,step); setcolorsv(2,step); setcolorsv(3,step); setcolorsv(4,step); sldtopos(gslda,step); sldtopos(gsldb,step); sldtopos(gsldc,step); sldtopos(gsldd,step); setcolors(); } function setcolors(){ ocx.SetColor(0,gca,gcb,gcc,gcd); } </script> <!-- 设备通道 --> <script type="text/javascript"> function tl(s){ var ret; ret=ocx.Translate(s); return ret; }//moving here for later function function ca(o,ch) { var oc; if ($(o).hasClass('cl1')){ if (ocx.StartRealPlay(ch,0,0)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl2'); } } else{ if (ocx.StopPlayReal(ch)){ oc=$('c'+ch); oc.removeClass(oc.className); oc.addClass('cl1'); } } } function getcl(){ g_digitalChannel=ocx.GetDeviceState(1,0); var t= new Array(); var ts=new Array(); var titles=new Array(); titles[0]=tl('Desktop.LocalRecord'); titles[1]=tl('Desktop.ExtStream'); titles[2]=tl('Desktop.MainStream'); titles[3]=tl('Desktop.StartTalk'); titles[4]=tl('WebTitle.DigitalChannel'); var shtml=""; shtml+="<li id='Talk' ><a title='"+titles[3]+"' id='talking' class='noT' href='javascript:;' onclick='Ontalk()' ></a><span id='logoString' style='margin:0 5px 0 3px;'>NetSurveillance</span></li> " var strsplita=String.fromCharCode(16); var strsplitb=String.fromCharCode(9); var sc; sc=ocx.GetChannelName(); if (sc !=""){ sc=sc.substr(0, sc.l