About a year ago a user reported a strange problem using an Axis camera after setting the password with an embedded %:
Axis Camera - Access Denied After PW Change With %
This mystery was never solved, although it was noted at the time:
Ok, so it could be that the percent sign is being evaluated as a special character by either javascript or the linux/unix shell or something in between.
Able to replicate the bug, but unable to help, IPVM contacted Axis with the information.
Brian, fyi, I forwarded this to our contacts at Axis to see if they have any feedback.
No follow-up was reported.
A year later a vulnerability in most Axis devices is reported using what is known as a remote format string exploit. Explained here. Excerpt:
2.4 What exactly is a format string ?
A format string is an ASCIIZ string that contains text and format parameters.
Example:
printf ("The magic number is: %d\n", 1911);
The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, that is replaced with the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911.
The actual exploit was using this string:
# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80
indicating that indeed the % sign was being passed to a printf family Linux call where it was interpreted as a command, (in this case to setup a listener to call back).
IMHO, if Axis had actually investigated and remediated this bug report they would have (knowingly or unknowingly) fixed the vulnerability well before the exploit was developed.