[NEWS] Axis Network Camera HTTP Authentication Bypass
From: SecuriTeam (support_at_securiteam.com)
Date: 05/29/03
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Sun-One Application Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 May 2003 20:02:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Axis Network Camera HTTP Authentication Bypass
------------------------------------------------------------------------
SUMMARY
An <http://www.axis.com> Axis Network Camera captures and transmits live
images directly over an IP network (e.g. LAN/intranet/Internet), enabling
users to remotely view and/or manage the camera from a Web browser on any
computer.
After setting up the Axis Camera, the user is provided with Web-based
Administration Tools for configuring and managing the camera by accessing
http://camera-ip/admin/admin.shtml, which requires a username and
password.
We have discovered the following security vulnerability: by accessing
http://camera-ip//admin/admin.shtml (notice the double slash), the
authentication for "admin" is bypassed and an attacker gains direct access
to the configuration.
Using this vulnerability, an attacker can reset the root password, then
enable the telnet server by modifying configuration files, giving the
attacker interactive access to a Unix like command line, allowing her to
execute arbitrary commands as root.
DETAILS
Vulnerable Packages:
* AXIS 2100 Network Camera versions 2.32 and previous
* AXIS 2110 Network Camera versions 2.32 and previous
* AXIS 2120 Network Camera versions 2.32 and previous
* AXIS 2130 PTZ Network Camera versions 2.32 and previous
* AXIS 2400 Video Server versions 2.32 and previous
* AXIS 2401 Video Server versions 2.32 and previous
* AXIS 2420 Network Camera versions 2.32 and previous
* AXIS 2460 Network DVR versions 3.00 and previous
* AXIS 250S Video Server versions 3.02 and previous
Solution/Vendor Information/Workaround:
Axis Communications has released new firmware closing this vulnerability
in its Network Camera and Video Server products.
New releases are available at:
AXIS 2100 Network Camera: 2.34
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2100/2_34/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2100/2_34/
AXIS 2110 Network Camera: 2.34
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2110/2_34/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2110/2_34/
AXIS 2120 Network Camera: 2.34
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2120/2_34/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2120/2_34/
AXIS 2130 Network Camera: 2.34
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2130/2_34/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2130/2_34/
AXIS 2400 Video Server: 2.34
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2400/2_34/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2400/2_34/
AXIS 2401 Video Server: 2.34
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2401/2_34/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2401/2_34/
AXIS 2420 Network Camera: 2.34
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2420/2_34/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2420/2_34/
AXIS 2460 Network DVR: 3.10
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_2460/3_10/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2460/3_10/
AXIS 250S Video Server: 3.03
<ftp://ftp.axis.com/pub_soft/cam_srv/cam_250s/3_03/>
ftp://ftp.axis.com/pub_soft/cam_srv/cam_250s/3_03/
Recommended Actions:
CORE Security strongly recommends that all devices are updated to these
firmware versions.
Technical Description - Exploit/Concept Code:
CORE Security has discovered the following security vulnerability: by
accessing http://camera-ip//admin/admin.shtml (notice the double slash)
the authentication for "admin" is bypassed and an attacker gains direct
access to the configuration.
In the same way, an attacker can access the other administration tools for
the camera, for example:
http://camera-ip//admin/img_general.shtml
http://camera-ip//admin/netw_tcp.shtml
http://camera-ip//admin/sys_date.shtml
http://camera-ip//admin/com_port.shtml
http://camera-ip//admin/op_general.shtml
http://camera-ip//admin/sys_motiond.shtml
Note that the workaround for a recently published Axis HTTP Server
vulnerability (see reference [1]) was to add authentication to some
particular paths. With this vulnerability the authentication can be
bypassed, so the mentioned Information Disclosure vulnerability can still
be exploited.
The affected Axis devices run a Linux like operating system. With this
vulnerability, an attacker can reset the root password. Then using the
default open ftp server, the attacker can download configuration files,
modify these files and upload them again. Modifying /etc/inittab it is
possible to enable the Telnet server (see [2] a technical note explaining
how to enable Telnet support), giving the attacker interactive access to a
UNIX like command line. Axis provides free developer tools (see [3]), so
it is feasible for an attacker to build tools like port scanners or
proxies to start attacks from the compromised camera (which is usually
installed inside internal networks) which could lead to the compromise of
the internal network.
ADDITIONAL INFORMATION
References:
[1] Axis Communications HTTP Server Messages Information Disclosure
Vulnerability (published 2003-02-28)
[2] Technical Note: Enable Telnet Support in the Axis Camera Servers
<http://www.axis.com/techsup/cam_servers/tech_notes/telnet_support.htm>
http://www.axis.com/techsup/cam_servers/tech_notes/telnet_support.htm As
stated in this page: "You should enable this option for experimental use
only. Never leave the Telnet access enabled when having the Network Camera
installed on a public site."
[3] Axis' developer site (where a compiler and other development tools can
be downloaded): <http://developer.axis.com/> http://developer.axis.com/
The information has been provided by <mailto:advisories@coresecurity.com>
CORE Security Technologies Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Sun-One Application Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
