Axis 5 Vulnerabilities Examined

By IPVM Team, Published Dec 01, 2017, 08:02am EST

A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical vulnerability), have been found in several Axis products. While some are relatively minor, others could be used to build complex exploits to take over a camera.

We have cataloged these vulnerabilities in this note, and provide details on exploit potential and risks users of Axis cameras may face.

Vulnerabilities ********

 *** *************** *** ** grouped **** * ********, as ********* *****:

********** ******* *** ******** below.

Bashis *** *************

**** ************* ** *** **** ******** of *** *****. ** is ****** **** ******* ** can ** **** ******** to ******** **** **** a ****** ******* **************. Further, *** ********* ****** for ** ******** ** build **** **** * Critical ***** *************, ** it ******** *** ********* for * **** ******* exploit **** ***** *********** execute ********* **** ** provide * ****** *****. 

* *** ** ** Axis-developed ******* **** ** multiple *** *********** *** be ********* ** **** data **** *** ****** via *** ** ********* URLs, ***** *** ****** simple *** ** ******** to *******, ** ** requires **** ********* * single '%' ***** *** camera ********** ******* ********** characters, **:

****://********/*****.*****?****=%

*** "******* *******" *** be ***** ** *** of, ** **** ** excessive ****** ** **** in ** **** *******, again **** ********* ****, to ******* ***** ********. ********* ** ******, there ** ********* *** this ** ** ******* refined **** * ********* remote ***** *******, ****** he acknowledges ***** ******** ** Axis' ************ **** **** a challenging ****.

DHCP / ***-****-****/****

** ******* **** *************, a **** ****** **** exist ** *** ******* that ** *********** ** configured ** **** ********* responses **** * ******* request **** ****. *** compromised ****** ***** **** to ***** ** *** same *** ** *** camera, **** ************* ***** not ** ********** ** remote *******. ******* ***** static *** ******* ** DHCP ***** *** ** affected ** **** *************.

**** ************* ** ****** to *** ******* ***** distribution **** ****, *** many ***** *************, *** for *** **** ********* system ** *****-***** *******.

* *** ****** ****** is ***** ******* ** attacker ***** **** ** have ****** ** *** local ***, *** **** to * **** ****** that **** *** *******/********* to **** ********* *********. This ************* ** ******** to ** **** ** any *********** ** **** cameras, ****** ******** ******** is *********** ** ****** any ********* *** *******.

UPnP / ***-****-****/****

** * **** *****, this ************* ****** **** commonalities **** *** **** vulnerability. ** ** *** result ** ****** ****** in *** ***** ********* used ** ****, *** is ******* ** *** attacks ****, ** **** packets ********* ** *** get ********* ******* ** a ***. ** ******** can ******** **** ************* to ****** * ****** of ******* ****** ******* a ******** ******. 

* *** ****** ****** is ***** ******* ** the ******** ** * local *** ******, *** the ******* ******* ** leverage **** ************* **** a ****** ********** ******* resulting ** * **** shell ** ******* ******* of *** ******.

Backdoor **********

** *** **** ****, there **** **** ******** backdoors ********** ** ******* manufacturer's ********, ******** ********* to **** ****** ******* of *** ****** ** ***** or ****-***** ****** **** ******* effort. **** ** ***** Axis *************** **** ********** threats ** ******* ****** backdoor ******. ******' ******** **** *** potential ** ** ********* further **** * ********-***** exploit, *** ***** ** would ** * ****** of ******* *********** ****** on *** ********* ****, vs. *** *****-**-*** ********* found *******,*********,****, **********

Updated ******** *********

**** *** *************** ******** ** ******* all ** ***** ***************. *** to *** ***** ****** of ******** ********, *** the ******* ******** ****** for ***** ********, ** is *** ********* ** list *** ******** ****** and ******** ******* ************ in **** ******. *******, users ****** ***** ****' ******** ********* **** ** **** *** **** recent ******** *** ***** cameras *** ****** ***********.

Open ****** ********* ****** **** *********

***** ******' ******* ** specific ** **** *******, the **** *** **** vulnerabilities *** **** ** present ** ***** ************* cameras, ** *** ******* linux ********* *** **** libraries *** **** ****** by **********. ***** *** wish ** *** ************ of ******** **** *** for * *********** ********* on ******** ** ***** vulnerabilities ** *** ** their ******** ******.

Comments (21)

Now even Axis has locked and loaded cyber warfare weapons in their arsenal? What did we do to all these camera manufacturers to deserve this.

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Bashis, Nice work, you are a gem to the surveillance industry. 


Agree: 3
Disagree
Informative
Unhelpful: 1
Funny: 2

I think it will be telling to see the response from all manufacturers that have been hacked/vulnerable.

Agree: 3
Disagree
Informative
Unhelpful
Funny

The difference? When it happens to Axis we are still surprised.

Agree: 3
Disagree
Informative
Unhelpful
Funny: 2

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Responses will likely be less critical, since as pointed out in the report this is not an easy to execute backdoor like Hikvision.  

Also, Axis has released clear documents outlining the actual vulnerabilities, and potential for exploit without trying to place blame on others for having these vulnerabilities in their cameras, which generally has the effect of creating less overall controversy around the issues.

Agree: 13
Disagree
Informative: 1
Unhelpful
Funny

Now even Axis has locked and loaded cyber warfare weapons in their arsenal?

Joking aside, what are you even talking about?

This not a ‘backdoor’.  It’s not even an open door, at least not yet.

Agree: 7
Disagree
Informative: 1
Unhelpful
Funny

Bashis, Nice work, you are a gem to the surveillance industry.

Bashis has risen to almost mythical status.  IPVM should bring Bashis aboard :)

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

Maybe I am misunderstanding the threat level on this, but the UPnP Exploit looks pretty bad from an Insider Threat/Compromised Network POV. Why is it only considered a low risk? 

Agree
Disagree
Informative
Unhelpful
Funny

The UPnP exploit would have the primary impact of just affecting UPnP. There is a small chance it could be turned into a more complex remote code exploit, but so far no such exploits have been developed.

Because this exploit is related to a linux library used by many systems/vendors (meaning millions of devices, making a potentially attractive target base), and there have been no known exploits developed that turn it into a remote code execution or backdoor-style risk, it is unlikely that any new exploits will come just because Axis is also affected.

All things considered, an insider threat would probably prefer to use bashis' vulnerabilities over this one to try and attack an Axis camera.

Agree
Disagree
Informative: 3
Unhelpful
Funny

Thanks for the explanation Brian. That makes a lot more sense in my head. I am also assuming the real threat is combining Bashis's vulnerability with something like a KRACK vulnerable radio to compromise the camera, but that is a different discussion. 

Agree
Disagree
Informative
Unhelpful
Funny

To assess how likely this overflow bug can be turned into a real remote root weapon, some fuller disclosure from bashis is needed, namely:

How much time have you spent so far looking in the output for something that you can use to get root?

 

Agree
Disagree
Informative
Unhelpful
Funny

Someone that exceed my newbie knowledge, that can beat Axis non-executable and ASLR on both stack and heap, which means researching ROP chains for ARM and MIPS.

Agree
Disagree
Informative: 1
Unhelpful
Funny

No GOT?

Agree
Disagree
Informative
Unhelpful
Funny

Take the challenge to develop reliable exploit. 

Agree
Disagree
Informative
Unhelpful
Funny

I see Axis cameras are not listed on the BusyBox Products/Projects page: https://www.busybox.net/products.html. I would not be surprised if this would be updated after this article :-)

Agree
Disagree
Informative
Unhelpful
Funny

"If you distribute BusyBox without making the source code to the version you distribute available, you violate the license terms, and thus infringe on the copyrights of BusyBox"... does Axis make the source available?

Agree
Disagree
Informative
Unhelpful
Funny

#6, I've asked Axis for a response and will post back when received.

For others, the quote above is from BusyBox's license page.

Agree
Disagree
Informative
Unhelpful
Funny

From the third party license file for a P3367 camera

To request source code for all open source software included in this
product, send a letter to the address below. In the letter, please
state the following:

* Product name and firmware version
* Name and postal delivery address
* Billing address

The requested code will be sent to you on a CD at a charge of 20 USD,
to cover distribution costs.

Axis IPR Department Contact Information:

IPR Department
Axis Communications AB
Emdalav�gen 14
SE-223 69 Lund
Sweden

Agree
Disagree
Informative
Unhelpful
Funny

Thanks U#2... a good open source corporate citizen... nice to see.

Agree
Disagree
Informative
Unhelpful
Funny

I have not seen anyone so far that don't run BusyBox.

Agree
Disagree: 1
Informative: 1
Unhelpful
Funny

I have not seen anyone so far that don't run BusyBox

Here you go:

Take the challenge and be the first to develop an exploit.

Agree
Disagree
Informative
Unhelpful
Funny

I already have one, albeit slightly limited. Took a couple of hours since I'm not an expert - tells you something about how trivial they are to exploit. I just haven't had the time to finish it and report to Arecont since I've been very busy with personal life. If bashis or someone else wants to claim it, I can share what I have, but I have the hunch they wouldn't even need those pointers, as bashis for example is way more knowledgeable with these things than I am.

I feel these cams could allow for pretty unique exploits too, much more severe than typical IP cams.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,327 reports and 971 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports