Axis 5 Vulnerabilities Examined

By: IPVM Team, Published on Dec 01, 2017

A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical vulnerability), have been found in several Axis products. While some are relatively minor, others could be used to build complex exploits to take over a camera.

We have cataloged these vulnerabilities in this note, and provide details on exploit potential and risks users of Axis cameras may face.

* ***** ** ***************, including * *** ********* from ****** (*** ********** ***** *** of ******** ************ ******* **** ******** *************), **** **** ***** in ******* **** ********. While **** *** ********** minor, ****** ***** ** used ** ***** ******* exploits ** **** **** a ******.

** **** ********* ***** *************** in **** ****, *** provide ******* ** ******* potential *** ***** ***** of **** ******* *** face.

[***************]

Vulnerabilities ********

 *** *************** *** ** grouped **** * ********, as ********* *****:

********** ******* *** ******** below.

Bashis *** *************

**** ************* ** *** **** ******** of *** *****. ** is ****** **** ******* ** can ** **** ******** to ******** **** **** a ****** ******* **************. Further, *** ********* ****** for ** ******** ** build **** **** * Critical ***** *************, ** it ******** *** ********* for * **** ******* exploit **** ***** *********** execute ********* **** ** provide * ****** *****. 

* *** ** ** Axis-developed ******* **** ** multiple *** *********** *** be ********* ** **** data **** *** ****** via *** ** ********* URLs, ***** *** ****** simple *** ** ******** to *******, ** ** requires **** ********* * single '%' ***** *** camera ********** ******* ********** characters, **:

****://********/*****.*****?****=%

*** "******* *******" *** be ***** ** *** of, ** **** ** excessive ****** ** **** in ** **** *******, again **** ********* ****, to ******* ***** ********. ********* ** ******, there ** ********* *** this ** ** ******* refined **** * ********* remote ***** *******, ****** he acknowledges ***** ******** ** Axis' ************ **** **** a challenging ****.

DHCP / ***-****-****/****

** ******* **** *************, a **** ****** **** exist ** *** ******* that ** *********** ** configured ** **** ********* responses **** * ******* request **** ****. *** compromised ****** ***** **** to ***** ** *** same *** ** *** camera, **** ************* ***** not ** ********** ** remote *******. ******* ***** static *** ******* ** DHCP ***** *** ** affected ** **** *************.

**** ************* ** ****** to *** ******* ***** distribution **** ****, *** many ***** *************, *** for *** **** ********* system ** *****-***** *******.

* *** ****** ****** is ***** ******* ** attacker ***** **** ** have ****** ** *** local ***, *** **** to * **** ****** that **** *** *******/********* to **** ********* *********. This ************* ** ******** to ** **** ** any *********** ** **** cameras, ****** ******** ******** is *********** ** ****** any ********* *** *******.

UPnP / ***-****-****/****

** * **** *****, this ************* ****** **** commonalities **** *** **** vulnerability. ** ** *** result ** ****** ****** in *** ***** ********* used ** ****, *** is ******* ** *** attacks ****, ** **** packets ********* ** *** get ********* ******* ** a ***. ** ******** can ******** **** ************* to ****** * ****** of ******* ****** ******* a ******** ******. 

* *** ****** ****** is ***** ******* ** the ******** ** * local *** ******, *** the ******* ******* ** leverage **** ************* **** a ****** ********** ******* resulting ** * **** shell ** ******* ******* of *** ******.

Backdoor **********

** *** **** ****, there **** **** ******** backdoors ********** ** ******* manufacturer's ********, ******** ********* to **** ****** ******* of *** ****** ** ***** or ****-***** ****** **** ******* effort. **** ** ***** Axis *************** **** ********** threats ** ******* ****** backdoor ******. ******' ******** **** *** potential ** ** ********* further **** * ********-***** exploit, *** ***** ** would ** * ****** of ******* *********** ****** on *** ********* ****, vs. *** *****-**-*** ********* found *******,*********,****, **********

Updated ******** *********

**** *** *************** ******** ** ******* all ** ***** ***************. *** to *** ***** ****** of ******** ********, *** the ******* ******** ****** for ***** ********, ** is *** ********* ** list *** ******** ****** and ******** ******* ************ in **** ******. *******, users ****** ***** ****' ******** ********* **** ** **** *** **** recent ******** *** ***** cameras *** ****** ***********.

Open ****** ********* ****** **** *********

***** ******' ******* ** specific ** **** *******, the **** *** **** vulnerabilities *** **** ** present ** ***** ************* cameras, ** *** ******* linux ********* *** **** libraries *** **** ****** by **********. ***** *** wish ** *** ************ of ******** **** *** for * *********** ********* on ******** ** ***** vulnerabilities ** *** ** their ******** ******.

Comments (21)

Now even Axis has locked and loaded cyber warfare weapons in their arsenal? What did we do to all these camera manufacturers to deserve this.

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Bashis, Nice work, you are a gem to the surveillance industry. 


I think it will be telling to see the response from all manufacturers that have been hacked/vulnerable.

The difference? When it happens to Axis we are still surprised.

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Responses will likely be less critical, since as pointed out in the report this is not an easy to execute backdoor like Hikvision.  

Also, Axis has released clear documents outlining the actual vulnerabilities, and potential for exploit without trying to place blame on others for having these vulnerabilities in their cameras, which generally has the effect of creating less overall controversy around the issues.

Now even Axis has locked and loaded cyber warfare weapons in their arsenal?

Joking aside, what are you even talking about?

This not a ‘backdoor’.  It’s not even an open door, at least not yet.

Bashis, Nice work, you are a gem to the surveillance industry.

Bashis has risen to almost mythical status.  IPVM should bring Bashis aboard :)

Maybe I am misunderstanding the threat level on this, but the UPnP Exploit looks pretty bad from an Insider Threat/Compromised Network POV. Why is it only considered a low risk? 

The UPnP exploit would have the primary impact of just affecting UPnP. There is a small chance it could be turned into a more complex remote code exploit, but so far no such exploits have been developed.

Because this exploit is related to a linux library used by many systems/vendors (meaning millions of devices, making a potentially attractive target base), and there have been no known exploits developed that turn it into a remote code execution or backdoor-style risk, it is unlikely that any new exploits will come just because Axis is also affected.

All things considered, an insider threat would probably prefer to use bashis' vulnerabilities over this one to try and attack an Axis camera.

Thanks for the explanation Brian. That makes a lot more sense in my head. I am also assuming the real threat is combining Bashis's vulnerability with something like a KRACK vulnerable radio to compromise the camera, but that is a different discussion. 

To assess how likely this overflow bug can be turned into a real remote root weapon, some fuller disclosure from bashis is needed, namely:

How much time have you spent so far looking in the output for something that you can use to get root?

 

Someone that exceed my newbie knowledge, that can beat Axis non-executable and ASLR on both stack and heap, which means researching ROP chains for ARM and MIPS.

No GOT?

Take the challenge to develop reliable exploit. 

I see Axis cameras are not listed on the BusyBox Products/Projects page: https://www.busybox.net/products.html. I would not be surprised if this would be updated after this article :-)

"If you distribute BusyBox without making the source code to the version you distribute available, you violate the license terms, and thus infringe on the copyrights of BusyBox"... does Axis make the source available?

#6, I've asked Axis for a response and will post back when received.

For others, the quote above is from BusyBox's license page.

From the third party license file for a P3367 camera

To request source code for all open source software included in this
product, send a letter to the address below. In the letter, please
state the following:

* Product name and firmware version
* Name and postal delivery address
* Billing address

The requested code will be sent to you on a CD at a charge of 20 USD,
to cover distribution costs.

Axis IPR Department Contact Information:

IPR Department
Axis Communications AB
Emdalav�gen 14
SE-223 69 Lund
Sweden

Thanks U#2... a good open source corporate citizen... nice to see.

I have not seen anyone so far that don't run BusyBox.

I have not seen anyone so far that don't run BusyBox

Here you go:

Take the challenge and be the first to develop an exploit.

I already have one, albeit slightly limited. Took a couple of hours since I'm not an expert - tells you something about how trivial they are to exploit. I just haven't had the time to finish it and report to Arecont since I've been very busy with personal life. If bashis or someone else wants to claim it, I can share what I have, but I have the hunch they wouldn't even need those pointers, as bashis for example is way more knowledgeable with these things than I am.

I feel these cams could allow for pretty unique exploits too, much more severe than typical IP cams.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

"Hikvision Football Arena" Lithuania Causes Controversy on Jan 24, 2020
Controversy has arisen in Lithuania over Hikvision becoming a soccer team's top sponsor and gaining naming rights to their arena, with one local MP...
Axis and Genetec Drop IFSEC 2020 on Jan 23, 2020
Two of the best-known video surveillance manufacturers are dropping IFSEC International 2020, joining Milestone who dropped IFSEC in 2019. The...
Multipoint Door Lock Tutorial on Jan 23, 2020
Despite widespread use, locked doors are notoriously weak at stopping entry, and thousands can be misspent on locks that leave doors quite...
Avigilon Shifts Cloud Strategy - Merges Blue and ACC on Jan 23, 2020
Avigilon is shifting its cloud strategy, phasing out its Blue web-managed surveillance platform as a stand-alone brand and merging it with its ACC...
Verkada Paying $100 For Referrals Just To Demo on Jan 22, 2020
Some companies pay for referrals when the referral becomes a customer. Verkada is taking it to the next level - paying $100 referrals fees simply...
Camera Analytics Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jan 22, 2020
Analytics are hot again, thanks to a slew of AI-powered cameras, but whose analytics really work? And how do these new smart cameras compare to top...
Intersec 2020 Final Show Report on Jan 21, 2020
IPVM spent all 3 days at the Intersec 2020 show interviewing various companies and finding key trends. We cover: Middle East Enterprise...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...
Clearview AI Alarm - NY Times Report Says "Might End Privacy" on Jan 20, 2020
Over the weekend, the NY Times released a report titled "The Secretive Company That Might End Privacy as We Know It" about a company named...
Favorite Camera Manufacturers 2020 on Jan 20, 2020
The past 2 years of US bans and sanctions have shaken the video surveillance industry but what impact would this have on integrators' favorite...