Axis 5 Vulnerabilities Examined

By IPVM Team, Published on Dec 01, 2017

A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical vulnerability), have been found in several Axis products. While some are relatively minor, others could be used to build complex exploits to take over a camera.

We have cataloged these vulnerabilities in this note, and provide details on exploit potential and risks users of Axis cameras may face.

Vulnerabilities ********

 *** *************** *** ** grouped **** * ********, as ********* *****:

********** ******* *** ******** below.

Bashis *** *************

**** ************* ** *** **** ******** of *** *****. ** is ****** **** ******* ** can ** **** ******** to ******** **** **** a ****** ******* **************. Further, *** ********* ****** for ** ******** ** build **** **** * Critical ***** *************, ** it ******** *** ********* for * **** ******* exploit **** ***** *********** execute ********* **** ** provide * ****** *****. 

* *** ** ** Axis-developed ******* **** ** multiple *** *********** *** be ********* ** **** data **** *** ****** via *** ** ********* URLs, ***** *** ****** simple *** ** ******** to *******, ** ** requires **** ********* * single '%' ***** *** camera ********** ******* ********** characters, **:

****://********/*****.*****?****=%

*** "******* *******" *** be ***** ** *** of, ** **** ** excessive ****** ** **** in ** **** *******, again **** ********* ****, to ******* ***** ********. ********* ** ******, there ** ********* *** this ** ** ******* refined **** * ********* remote ***** *******, ****** he acknowledges ***** ******** ** Axis' ************ **** **** a challenging ****.

DHCP / ***-****-****/****

** ******* **** *************, a **** ****** **** exist ** *** ******* that ** *********** ** configured ** **** ********* responses **** * ******* request **** ****. *** compromised ****** ***** **** to ***** ** *** same *** ** *** camera, **** ************* ***** not ** ********** ** remote *******. ******* ***** static *** ******* ** DHCP ***** *** ** affected ** **** *************.

**** ************* ** ****** to *** ******* ***** distribution **** ****, *** many ***** *************, *** for *** **** ********* system ** *****-***** *******.

* *** ****** ****** is ***** ******* ** attacker ***** **** ** have ****** ** *** local ***, *** **** to * **** ****** that **** *** *******/********* to **** ********* *********. This ************* ** ******** to ** **** ** any *********** ** **** cameras, ****** ******** ******** is *********** ** ****** any ********* *** *******.

UPnP / ***-****-****/****

** * **** *****, this ************* ****** **** commonalities **** *** **** vulnerability. ** ** *** result ** ****** ****** in *** ***** ********* used ** ****, *** is ******* ** *** attacks ****, ** **** packets ********* ** *** get ********* ******* ** a ***. ** ******** can ******** **** ************* to ****** * ****** of ******* ****** ******* a ******** ******. 

* *** ****** ****** is ***** ******* ** the ******** ** * local *** ******, *** the ******* ******* ** leverage **** ************* **** a ****** ********** ******* resulting ** * **** shell ** ******* ******* of *** ******.

Backdoor **********

** *** **** ****, there **** **** ******** backdoors ********** ** ******* manufacturer's ********, ******** ********* to **** ****** ******* of *** ****** ** ***** or ****-***** ****** **** ******* effort. **** ** ***** Axis *************** **** ********** threats ** ******* ****** backdoor ******. ******' ******** **** *** potential ** ** ********* further **** * ********-***** exploit, *** ***** ** would ** * ****** of ******* *********** ****** on *** ********* ****, vs. *** *****-**-*** ********* found *******,*********,****, **********

Updated ******** *********

**** *** *************** ******** ** ******* all ** ***** ***************. *** to *** ***** ****** of ******** ********, *** the ******* ******** ****** for ***** ********, ** is *** ********* ** list *** ******** ****** and ******** ******* ************ in **** ******. *******, users ****** ***** ****' ******** ********* **** ** **** *** **** recent ******** *** ***** cameras *** ****** ***********.

Open ****** ********* ****** **** *********

***** ******' ******* ** specific ** **** *******, the **** *** **** vulnerabilities *** **** ** present ** ***** ************* cameras, ** *** ******* linux ********* *** **** libraries *** **** ****** by **********. ***** *** wish ** *** ************ of ******** **** *** for * *********** ********* on ******** ** ***** vulnerabilities ** *** ** their ******** ******.

Comments (21)

Now even Axis has locked and loaded cyber warfare weapons in their arsenal? What did we do to all these camera manufacturers to deserve this.

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Bashis, Nice work, you are a gem to the surveillance industry. 


I think it will be telling to see the response from all manufacturers that have been hacked/vulnerable.

The difference? When it happens to Axis we are still surprised.

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Responses will likely be less critical, since as pointed out in the report this is not an easy to execute backdoor like Hikvision.  

Also, Axis has released clear documents outlining the actual vulnerabilities, and potential for exploit without trying to place blame on others for having these vulnerabilities in their cameras, which generally has the effect of creating less overall controversy around the issues.

Now even Axis has locked and loaded cyber warfare weapons in their arsenal?

Joking aside, what are you even talking about?

This not a ‘backdoor’.  It’s not even an open door, at least not yet.

Bashis, Nice work, you are a gem to the surveillance industry.

Bashis has risen to almost mythical status.  IPVM should bring Bashis aboard :)

Maybe I am misunderstanding the threat level on this, but the UPnP Exploit looks pretty bad from an Insider Threat/Compromised Network POV. Why is it only considered a low risk? 

The UPnP exploit would have the primary impact of just affecting UPnP. There is a small chance it could be turned into a more complex remote code exploit, but so far no such exploits have been developed.

Because this exploit is related to a linux library used by many systems/vendors (meaning millions of devices, making a potentially attractive target base), and there have been no known exploits developed that turn it into a remote code execution or backdoor-style risk, it is unlikely that any new exploits will come just because Axis is also affected.

All things considered, an insider threat would probably prefer to use bashis' vulnerabilities over this one to try and attack an Axis camera.

Thanks for the explanation Brian. That makes a lot more sense in my head. I am also assuming the real threat is combining Bashis's vulnerability with something like a KRACK vulnerable radio to compromise the camera, but that is a different discussion. 

To assess how likely this overflow bug can be turned into a real remote root weapon, some fuller disclosure from bashis is needed, namely:

How much time have you spent so far looking in the output for something that you can use to get root?

 

Someone that exceed my newbie knowledge, that can beat Axis non-executable and ASLR on both stack and heap, which means researching ROP chains for ARM and MIPS.

No GOT?

Take the challenge to develop reliable exploit. 

I see Axis cameras are not listed on the BusyBox Products/Projects page: https://www.busybox.net/products.html. I would not be surprised if this would be updated after this article :-)

"If you distribute BusyBox without making the source code to the version you distribute available, you violate the license terms, and thus infringe on the copyrights of BusyBox"... does Axis make the source available?

#6, I've asked Axis for a response and will post back when received.

For others, the quote above is from BusyBox's license page.

From the third party license file for a P3367 camera

To request source code for all open source software included in this
product, send a letter to the address below. In the letter, please
state the following:

* Product name and firmware version
* Name and postal delivery address
* Billing address

The requested code will be sent to you on a CD at a charge of 20 USD,
to cover distribution costs.

Axis IPR Department Contact Information:

IPR Department
Axis Communications AB
Emdalav�gen 14
SE-223 69 Lund
Sweden

Thanks U#2... a good open source corporate citizen... nice to see.

I have not seen anyone so far that don't run BusyBox.

I have not seen anyone so far that don't run BusyBox

Here you go:

Take the challenge and be the first to develop an exploit.

I already have one, albeit slightly limited. Took a couple of hours since I'm not an expert - tells you something about how trivial they are to exploit. I just haven't had the time to finish it and report to Arecont since I've been very busy with personal life. If bashis or someone else wants to claim it, I can share what I have, but I have the hunch they wouldn't even need those pointers, as bashis for example is way more knowledgeable with these things than I am.

I feel these cams could allow for pretty unique exploits too, much more severe than typical IP cams.

Read this IPVM report for free.

This article is part of IPVM's 6,594 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...
Infinova, March Networks and Swann H1 2020 Financials Examined on Sep 02, 2020
While Dahua and Hikvision, helped by fever camera sales, are recovering from...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Temperature Tablet Shootout - Dahua, Hikvision, ZKTeco, TVT + 5 More on Sep 30, 2020
Temperature tablets, aka terminal or stations, have emerged as a 'low-cost...
Access Control Levels and Schedules Tutorial on Sep 29, 2020
Configuring access levels and setting up schedules is central to maintaining...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Dedicated Vs Converged IP Video Networks Statistics 2020 on Sep 10, 2020
Running one's video system on a converged network with other devices can save...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...