Axis Fixed Bug Report For Passwords [Corrected]

About a year ago a user reported a strange problem using an Axis camera after setting the password with an embedded %:

Axis Camera - Access Denied After PW Change With %

This mystery was never solved, although it was noted at the time:

Ok, so it could be that the percent sign is being evaluated as a special character by either javascript or the linux/unix shell or something in between.

Able to replicate the bug, but unable to help, IPVM contacted Axis with the information.

Brian, fyi, I forwarded this to our contacts at Axis to see if they have any feedback.

No follow-up was reported.

A year later a vulnerability in most Axis devices is reported using what is known as a remote format string exploit. Explained here. Excerpt:

2.4 What exactly is a format string ?
A format string is an ASCIIZ string that contains text and format parameters.
Example:
printf ("The magic number is: %d\n", 1911);
The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, that is replaced with the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911.

The actual exploit was using this string:

# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80

indicating that indeed the % sign was being passed to a printf family Linux call where it was interpreted as a command, (in this case to setup a listener to call back).

IMHO, if Axis had actually investigated and remediated this bug report they would have (knowingly or unknowingly) fixed the vulnerability well before the exploit was developed.


I don't think it's same, the exploit seems to be with "user" and not "password".

However, there might be another format string bug and/or URL encoding with "%" in "password"..

However, there might be another format string bug and/or URL encoding with "%" in "password"..

Remember that it isn't "in" anything at first, it's just a concatenated string until parsed by the camera.

GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n

Anything working on that raw string, (even after parsing, like when logging an error), directly with the printf family might be exploitable.

Its possible that it is entirely unrelated and just coincidental, even then I would argue that fixing the input mask on the password field should cause a reasonable developer to sanitize the user field as well.

Axis says they fixed this one last year:

"we actually fixed that reported issue in a firmware service release http://origin-www.axis.com/ftp/pub_soft/MPQT/P3367/5_70_1_2/P3367_5_70_1_2_release_notes.txt He reported in May and we solved the password character issue in October. The release notes state that it was solved for ‘#’ sound but it also includes ‘%’ as I had a support engineer test here locally."

Please change title to Axis fixes bug, IPVM member jumps to massively wrong conclusion.

What "massive hack" was reported? The researcher discovered a vulnerability, but is there proof of an actual hack? The title should be Axis Ignored IPVM Bug Report, Leading To Massive Vulnerability" NOT Axis Ignored IPVM Bug Report, Leading To Massive Hack

What "massive hack" was reported?

In common parlance, a 'hack' simply means a way of gaining unauthorized access, the massive indicates the potential scope.

The point is moot in any case as the bug report was not ignored, and the new title has been suggested above.

The title has been changed to reflect Axis fixing that particular bug.

Also, fyi, we have been able to verify the vulnerability and hack real Axis cameras based on the researcher's disclosure. Report to follow shortly.