Now even Axis has locked and loaded cyber warfare weapons in their arsenal? What did we do to all these camera manufacturers to deserve this.
Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.
Bashis, Nice work, you are a gem to the surveillance industry.
Axis 5 Vulnerabilities Examined
Published Dec 01, 2017 13:02 PM
A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical vulnerability), have been found in several Axis products. While some are relatively minor, others could be used to build complex exploits to take over a camera.
We have cataloged these vulnerabilities in this note, and provide details on exploit potential and risks users of Axis cameras may face.
Vulnerabilities ********
*** *************** *** ** ******* **** 3 ********, ** ********* *****:
- (*) ****** *** ************* - **** ****. * *** ** CGI ******** *** ** **** ** trigger * ******-********, ***** *** **** to device / ************* *********** ********** ** the ******. ****' ******** ******** ****** **** ************* *** ** ********* without **************, ******* ********-********** ******* ** high ****. *******, ** ******, ** least ** **, ** **** ** get **** / ***** ****** *** does ** ****** ***** ******* **** the ******.
- (* *** *) ***-****-****, ***-****-**** - *** ****. ******* ** ******** vulnerabilities ** **** ****** **** ** part ** ****' *******-***** **. ****' ******** ******** ********* ********* ** crash *** **** ****** ** *** camera.
- (* *** *) ***-****-****, ***-****-**** - *** ****. ******* ** **** vulnerabilities ** ** **** ****** ******* used ** ****. ****' ******** ******** *** ***** *************** ********* *** ******* *** ** ******** to ***** *** **** ***** ** be ************ *********, ********* **** *************.
********** ******* *** ******** *****.
Bashis *** *************
**** ************* ** *** **** ******** ** *** group. ** ** ****** **** ******* ** can ** **** ******** ** ******** data **** * ****** ******* **************. Further, *** ********* ****** *** ** attacker ** ***** **** **** * Critical ***** *************, ** ** ******** the ********* *** * **** ******* exploit **** ***** *********** ******* ********* code ** ******* * ****** *****.
* *** ** ** ****-********* ******* used ** ******** *** *********** *** be ********* ** **** **** **** the ****** *** *** ** ********* URLs, ***** *** ****** ****** *** an ******** ** *******, ** ** requires **** ********* * ****** '%' where *** ****** ********** ******* ********** characters, **:
****://********/*****.*****?****=%
*** "******* *******" *** ** ***** on *** **, ** **** ** excessive ****** ** **** ** ** HTTP *******, ***** **** ********* ****, to ******* ***** ********. ********* ** ******, ***** ** potential *** **** ** ** ******* refined **** * ********* ****** ***** exploit, ****** ** ************ ***** ******** ** Axis' ************ **** **** * *********** ****.
DHCP / ***-****-****/****
** ******* **** *************, * **** server **** ***** ** *** ******* that ** *********** ** ********** ** send ********* ********* **** * ******* request **** ****. *** *********** ****** would **** ** ***** ** *** same *** ** *** ******, **** vulnerability ***** *** ** ********** ** remote *******. ******* ***** ****** *** instead ** **** ***** *** ** affected ** **** *************.
**** ************* ** ****** ** *** BusyBox ***** ************ **** ****, *** many ***** *************, *** *** *** core ********* ****** ** *****-***** *******.
* *** ****** ****** ** ***** because ** ******** ***** **** ** have ****** ** *** ***** ***, and **** ** * **** ****** that **** *** *******/********* ** **** malicious *********. **** ************* ** ******** to ** **** ** *** *********** of **** *******, ****** ******** ******** is *********** ** ****** *** ********* for *******.
UPnP / ***-****-****/****
** * **** *****, **** ************* shares **** ************* **** *** **** vulnerability. ** ** *** ****** ** coding ****** ** *** ***** ********* used ** ****, *** ** ******* to *** ******* ****, ** **** packets ********* ** *** *** ********* outside ** * ***. ** ******** can ******** **** ************* ** ****** a ****** ** ******* ****** ******* a ******** ******.
* *** ****** ****** ** ***** because ** *** ******** ** * local *** ******, *** *** ******* ability ** ******** **** ************* **** a ****** ********** ******* ********* ** a **** ***** ** ******* ******* of *** ******.
Backdoor **********
** *** **** ****, ***** **** been ******** ********* ********** ** ******* manufacturer's ********, ******** ********* ** **** direct ******* ** *** ****** ** ***** or ****-***** ****** **** ******* ******. **** of ***** **** *************** **** ********** threats ** ******* ****** ******** ******. ******' findings have *** ********* ** ** ********* further **** * ********-***** *******, *** doing ** ***** ** * ****** of ******* *********** ****** ** *** attackers ****, **. *** *****-**-*** ********* found *******,*********,****, **********.
Updated ******** *********
**** *** *************** ******** ** ******* *** ** ***** ***************. *** ** *** large ****** ** ******** ********, *** the ******* ******** ****** *** ***** products, ** ** *** ********* ** list *** ******** ****** *** ******** updates ************ ** **** ******. *******, users ****** ***** ****' ******** ********* **** ** **** *** **** ****** ******** for ***** ******* *** ****** ***********.
Open ****** ********* ****** **** *********
***** ******' ******* ** ******** ** Axis *******, *** **** *** **** vulnerabilities *** **** ** ******* ** other ************* *******, ** *** ******* linux ********* *** **** ********* *** used ****** ** **********. ***** *** wish ** *** ************ ** ******** they *** *** * *********** ********* on ******** ** ***** *************** ** any ** ***** ******** ******.
Comments (21)
Sean Nelson
Dec 01, 2017
Rich Moore
Dec 01, 2017I think it will be telling to see the response from all manufacturers that have been hacked/vulnerable.
UE
Undisclosed End User #1
Dec 01, 2017
Brian Karas
Dec 01, 2017Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.
Responses will likely be less critical, since as pointed out in the report this is not an easy to execute backdoor like Hikvision.
Also, Axis has released clear documents outlining the actual vulnerabilities, and potential for exploit without trying to place blame on others for having these vulnerabilities in their cameras, which generally has the effect of creating less overall controversy around the issues.
U
Undisclosed #2
Dec 01, 2017Now even Axis has locked and loaded cyber warfare weapons in their arsenal?
Joking aside, what are you even talking about?
This not a ‘backdoor’. It’s not even an open door, at least not yet.
UI
Undisclosed Integrator #4
Dec 01, 2017Bashis, Nice work, you are a gem to the surveillance industry.
Bashis has risen to almost mythical status. IPVM should bring Bashis aboard :)
UI
Undisclosed Integrator #3
Dec 01, 2017Maybe I am misunderstanding the threat level on this, but the UPnP Exploit looks pretty bad from an Insider Threat/Compromised Network POV. Why is it only considered a low risk?
Brian Karas
Dec 01, 2017The UPnP exploit would have the primary impact of just affecting UPnP. There is a small chance it could be turned into a more complex remote code exploit, but so far no such exploits have been developed.
Because this exploit is related to a linux library used by many systems/vendors (meaning millions of devices, making a potentially attractive target base), and there have been no known exploits developed that turn it into a remote code execution or backdoor-style risk, it is unlikely that any new exploits will come just because Axis is also affected.
All things considered, an insider threat would probably prefer to use bashis' vulnerabilities over this one to try and attack an Axis camera.
UI
Undisclosed Integrator #3
Dec 01, 2017Thanks for the explanation Brian. That makes a lot more sense in my head. I am also assuming the real threat is combining Bashis's vulnerability with something like a KRACK vulnerable radio to compromise the camera, but that is a different discussion.
U
Undisclosed #2
Dec 01, 2017To assess how likely this overflow bug can be turned into a real remote root weapon, some fuller disclosure from bashis is needed, namely:
How much time have you spent so far looking in the output for something that you can use to get root?
bm
bashis mcw
Dec 01, 2017Someone that exceed my newbie knowledge, that can beat Axis non-executable and ASLR on both stack and heap, which means researching ROP chains for ARM and MIPS.
U
Undisclosed #2
Dec 01, 2017bm
bashis mcw
Dec 01, 2017U
Undisclosed #5
Dec 01, 2017I see Axis cameras are not listed on the BusyBox Products/Projects page: https://www.busybox.net/products.html. I would not be surprised if this would be updated after this article :-)
U
Undisclosed #6
Dec 03, 2017"If you distribute BusyBox without making the source code to the version you distribute available, you violate the license terms, and thus infringe on the copyrights of BusyBox"... does Axis make the source available?
JH
John Honovich
Dec 03, 2017#6, I've asked Axis for a response and will post back when received.
For others, the quote above is from BusyBox's license page.
U
Undisclosed #2
Dec 03, 2017From the third party license file for a P3367 camera
To request source code for all open source software included in this
product, send a letter to the address below. In the letter, please
state the following:
* Product name and firmware version
* Name and postal delivery address
* Billing address
The requested code will be sent to you on a CD at a charge of 20 USD,
to cover distribution costs.
Axis IPR Department Contact Information:
IPR Department
Axis Communications AB
Emdalav�gen 14
SE-223 69 Lund
Sweden
U
Undisclosed #6
Dec 03, 2017bm
bashis mcw
Dec 03, 2017I have not seen anyone so far that don't run BusyBox.
U
Undisclosed #2
Dec 03, 2017I have not seen anyone so far that don't run BusyBox
Take the challenge and be the first to develop an exploit.
U
Undisclosed #8
Dec 05, 2017I already have one, albeit slightly limited. Took a couple of hours since I'm not an expert - tells you something about how trivial they are to exploit. I just haven't had the time to finish it and report to Arecont since I've been very busy with personal life. If bashis or someone else wants to claim it, I can share what I have, but I have the hunch they wouldn't even need those pointers, as bashis for example is way more knowledgeable with these things than I am.
I feel these cams could allow for pretty unique exploits too, much more severe than typical IP cams.
UI
Undisclosed Integrator #7
Dec 04, 2017Please delete, I answered my own question. A network configuration wouldn't look like that.
thanks,