Axis Fixed Bug Report For Passwords [Corrected]

About a year ago a user reported a strange problem using an Axis camera after setting the password with an embedded %:

Axis Camera - Access Denied After PW Change With %

This mystery was never solved, although it was noted at the time:

Ok, so it could be that the percent sign is being evaluated as a special character by either javascript or the linux/unix shell or something in between.

Able to replicate the bug, but unable to help, IPVM contacted Axis with the information.

Brian, fyi, I forwarded this to our contacts at Axis to see if they have any feedback.

No follow-up was reported.

A year later a vulnerability in most Axis devices is reported using what is known as a remote format string exploit. Explained here. Excerpt:

2.4 What exactly is a format string ?
A format string is an ASCIIZ string that contains text and format parameters.
Example:
printf ("The magic number is: %d\n", 1911);
The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, that is replaced with the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911.

The actual exploit was using this string:

# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80

indicating that indeed the % sign was being passed to a printf family Linux call where it was interpreted as a command, (in this case to setup a listener to call back).

IMHO, if Axis had actually investigated and remediated this bug report they would have (knowingly or unknowingly) fixed the vulnerability well before the exploit was developed.

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

* ***'* ***** **'* ****, *** ******* ***** ** ** with "****" *** *** "********".

*******, ***** ***** ** ******* ****** ****** *** ***/** *** encoding **** "%" ** "********"..

*******, ***** ***** ** ******* ****** ****** *** ***/** *** encoding **** "%" ** "********"..

******** **** ** ***'* "**" ******** ** *****, **'* **** a ************ ****** ***** ****** ** *** ******.

GET /************.*****?&http_user=%p|%p ****/*.*\*\*

******** ******* ** **** *** ******, (**** ***** *******, **** when ******* ** *****), ******** **** *** ****** ****** ***** be ***********.

*** ******** **** ** ** ******** ********* *** **** ************, even **** * ***** ***** **** ****** *** ***** **** on *** ******** ***** ****** ***** * ********** ********* ** sanitize *** **** ***** ** ****.

**** **** **** ***** **** *** **** ****:

"** ******** ***** **** ******** ***** ** * ******** ******* release ****://******-***.****.***/***/********/****/*****/********/****************************.*** ** ******** ** *** *** ** ****** *** password ********* ***** ** *******. *** ******* ***** ***** **** it *** ****** *** ‘#’ ***** *** ** **** ******** ‘%’ ** * *** * ******* ******** **** **** *******."

****** ****** ***** **Axis ***** ***, **** ****** ***** ** ********* ***** **********.

**** "******* ****" *** ********? *** ********** ********** * *************, but ** ***** ***** ** ** ****** ****? *** ***** should ** **** ******* **** *** ******, ******* ** ******* Vulnerability" *** **** ******* **** *** ******, ******* ** ******* Hack

**** "******* ****" *** ********?

** ****** ********, * '****' ****** ***** * *** ** gaining ************ ******, *** ******* ********* *** ********* *****.

*** ***** ** **** ** *** **** ** *** *** report *** *** *******, *** *** *** ***** *** **** suggested *****.

*** ***** *** **** ******* ** ******* **** ****** **** particular ***.

****, ***, ** **** **** **** ** ****** *** ************* and **** **** **** ******* ***** ** *** **********'* **********. Report ** ****** *******.