axis2400 webcams

From: Martin Eiszner (martin@websec.org)
Date: 02/28/03

Next message: Byron York: "Re: Netscape Communicator 4.x sensitive informations in configuration file"

Previous message: Max: "ftp.exe anf tftp.exe buffer overflows"
Next in thread: Barry Zubel: "RE: axis2400 webcams"
Reply: Barry Zubel: "RE: axis2400 webcams"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Feb 2003 10:46:12 +0100
From: Martin Eiszner <martin@websec.org>
To: bugtraq@securityfocus.com

2002@WebSec.org/Martin Eiszner

==================================
Security REPORT axis webcam 2400.?
==================================

this document: http://www.websec.org/adv/axis2400.txt.html

Product: Axis Webserver for 2400 ??
Vulnerablities: denial of service, information disclosure, non-confirmed script execution
Vendor: Axis (http://www.axis.com)
Vendor-Status: E-Mail to "security@axis.com" and "anne.rhenman@axis.com" date: 17.01.2003
Vendor-Patch: no response (28.02.2003)

Local: NO
Remote: YES

============
Introduction
============

webcam system including modified boa-webserver and web-based admin-interface ...

=====================
Vulnerability Details
=====================

1) INFORMATION DISCLOSURE

http-requests to:

---*---
http://server/support/messages
---*---

responds with /var/log/messages.
it is not password protected and might disclose sensitive information.

2) DOS / OVERWRITING SYSTEM-FILES
requesting:
---*---
http://server/axis-cgi/buffer/command.cgi?
buffername=X&
prealarm=1&
postalarm=1&
do=start&
uri=/jpg/quad.jpg&
format=[bad input]
---*---

allows an attacker to overwrite important files on the system (all fifos for example)
leading to an effective DOS-attack.

3) ARBITRARY FILE CREATION

a request like:
---*---
/axis-cgi/buffer/command.cgi?whatever params
buffername=[relative path to directory]
format=[relative path to arbitrary file name]
---*---

will create [relative path to arbitrary file name] or [relative path to a. directory]

if somebody is able to change content of error messages he might be able to create
and execute arbitrary script-files(php fE.).

severity: LOW-MEDIUM

=======
Remarks
=======

---
====================
Recommended Hotfixes
====================
software patch.
EOF Martin Eiszner / @2002WebSec.org
=======
Contact
=======
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei@websec.org
http://www.websec.org

Next message: Byron York: "Re: Netscape Communicator 4.x sensitive informations in configuration file"
Previous message: Max: "ftp.exe anf tftp.exe buffer overflows"
Next in thread: Barry Zubel: "RE: axis2400 webcams"
Reply: Barry Zubel: "RE: axis2400 webcams"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

php unserialize
... Vulnerablities: ... Information disclosure / Memory dumping ... Vendor-Patchs: ... Memory Corruption / buffer overflow ...
(Bugtraq)
[Full-Disclosure] php unserialize
... Vulnerablities: ... Information disclosure / Memory dumping ... Vendor-Patchs: ... Memory Corruption / buffer overflow ...
(Full-Disclosure)
[Full-disclosure] Advisory: FUSE: Filesystem in Userspace - Information Disclosure
... Advisory: FUSE: Filesystem in Userspace - Information Disclosure ... Vendor-Status: informed, ...
(Full-Disclosure)