Axis 5 Vulnerabilities Examined

By: IPVM Team, Published on Dec 01, 2017

A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical vulnerability), have been found in several Axis products. While some are relatively minor, others could be used to build complex exploits to take over a camera.

We have cataloged these vulnerabilities in this note, and provide details on exploit potential and risks users of Axis cameras may face.

* ***** ** ***************, including * *** ********* from ****** (*** ********** ***** *** of ******** ************ ******* **** ******** *************), **** **** ***** in ******* **** ********. While **** *** ********** minor, ****** ***** ** used ** ***** ******* exploits ** **** **** a ******.

** **** ********* ***** *************** in **** ****, *** provide ******* ** ******* potential *** ***** ***** of **** ******* *** face.

[***************]

Vulnerabilities ********

 *** *************** *** ** grouped **** * ********, as ********* *****:

********** ******* *** ******** below.

Bashis *** *************

**** ************* ** *** **** ******** of *** *****. ** is ****** **** ******* ** can ** **** ******** to ******** **** **** a ****** ******* **************. Further, *** ********* ****** for ** ******** ** build **** **** * Critical ***** *************, ** it ******** *** ********* for * **** ******* exploit **** ***** *********** execute ********* **** ** provide * ****** *****. 

* *** ** ** Axis-developed ******* **** ** multiple *** *********** *** be ********* ** **** data **** *** ****** via *** ** ********* URLs, ***** *** ****** simple *** ** ******** to *******, ** ** requires **** ********* * single '%' ***** *** camera ********** ******* ********** characters, **:

****://********/*****.*****?****=%

*** "******* *******" *** be ***** ** *** of, ** **** ** excessive ****** ** **** in ** **** *******, again **** ********* ****, to ******* ***** ********. ********* ** ******, there ** ********* *** this ** ** ******* refined **** * ********* remote ***** *******, ****** he acknowledges ***** ******** ** Axis' ************ **** **** a challenging ****.

DHCP / ***-****-****/****

** ******* **** *************, a **** ****** **** exist ** *** ******* that ** *********** ** configured ** **** ********* responses **** * ******* request **** ****. *** compromised ****** ***** **** to ***** ** *** same *** ** *** camera, **** ************* ***** not ** ********** ** remote *******. ******* ***** static *** ******* ** DHCP ***** *** ** affected ** **** *************.

**** ************* ** ****** to *** ******* ***** distribution **** ****, *** many ***** *************, *** for *** **** ********* system ** *****-***** *******.

* *** ****** ****** is ***** ******* ** attacker ***** **** ** have ****** ** *** local ***, *** **** to * **** ****** that **** *** *******/********* to **** ********* *********. This ************* ** ******** to ** **** ** any *********** ** **** cameras, ****** ******** ******** is *********** ** ****** any ********* *** *******.

UPnP / ***-****-****/****

** * **** *****, this ************* ****** **** commonalities **** *** **** vulnerability. ** ** *** result ** ****** ****** in *** ***** ********* used ** ****, *** is ******* ** *** attacks ****, ** **** packets ********* ** *** get ********* ******* ** a ***. ** ******** can ******** **** ************* to ****** * ****** of ******* ****** ******* a ******** ******. 

* *** ****** ****** is ***** ******* ** the ******** ** * local *** ******, *** the ******* ******* ** leverage **** ************* **** a ****** ********** ******* resulting ** * **** shell ** ******* ******* of *** ******.

Backdoor **********

** *** **** ****, there **** **** ******** backdoors ********** ** ******* manufacturer's ********, ******** ********* to **** ****** ******* of *** ****** ** ***** or ****-***** ****** **** ******* effort. **** ** ***** Axis *************** **** ********** threats ** ******* ****** backdoor ******. ******' ******** **** *** potential ** ** ********* further **** * ********-***** exploit, *** ***** ** would ** * ****** of ******* *********** ****** on *** ********* ****, vs. *** *****-**-*** ********* found *******,*********,****, **********

Updated ******** *********

**** *** *************** ******** ** ******* all ** ***** ***************. *** to *** ***** ****** of ******** ********, *** the ******* ******** ****** for ***** ********, ** is *** ********* ** list *** ******** ****** and ******** ******* ************ in **** ******. *******, users ****** ***** ****' ******** ********* **** ** **** *** **** recent ******** *** ***** cameras *** ****** ***********.

Open ****** ********* ****** **** *********

***** ******' ******* ** specific ** **** *******, the **** *** **** vulnerabilities *** **** ** present ** ***** ************* cameras, ** *** ******* linux ********* *** **** libraries *** **** ****** by **********. ***** *** wish ** *** ************ of ******** **** *** for * *********** ********* on ******** ** ***** vulnerabilities ** *** ** their ******** ******.

Comments (21)

Now even Axis has locked and loaded cyber warfare weapons in their arsenal? What did we do to all these camera manufacturers to deserve this.

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Bashis, Nice work, you are a gem to the surveillance industry. 


I think it will be telling to see the response from all manufacturers that have been hacked/vulnerable.

The difference? When it happens to Axis we are still surprised.

Joking aside, im curious to see the response to this article in comparison to similar articles from Hik/Dahua.

Responses will likely be less critical, since as pointed out in the report this is not an easy to execute backdoor like Hikvision.  

Also, Axis has released clear documents outlining the actual vulnerabilities, and potential for exploit without trying to place blame on others for having these vulnerabilities in their cameras, which generally has the effect of creating less overall controversy around the issues.

Now even Axis has locked and loaded cyber warfare weapons in their arsenal?

Joking aside, what are you even talking about?

This not a ‘backdoor’.  It’s not even an open door, at least not yet.

Bashis, Nice work, you are a gem to the surveillance industry.

Bashis has risen to almost mythical status.  IPVM should bring Bashis aboard :)

Maybe I am misunderstanding the threat level on this, but the UPnP Exploit looks pretty bad from an Insider Threat/Compromised Network POV. Why is it only considered a low risk? 

The UPnP exploit would have the primary impact of just affecting UPnP. There is a small chance it could be turned into a more complex remote code exploit, but so far no such exploits have been developed.

Because this exploit is related to a linux library used by many systems/vendors (meaning millions of devices, making a potentially attractive target base), and there have been no known exploits developed that turn it into a remote code execution or backdoor-style risk, it is unlikely that any new exploits will come just because Axis is also affected.

All things considered, an insider threat would probably prefer to use bashis' vulnerabilities over this one to try and attack an Axis camera.

Thanks for the explanation Brian. That makes a lot more sense in my head. I am also assuming the real threat is combining Bashis's vulnerability with something like a KRACK vulnerable radio to compromise the camera, but that is a different discussion. 

To assess how likely this overflow bug can be turned into a real remote root weapon, some fuller disclosure from bashis is needed, namely:

How much time have you spent so far looking in the output for something that you can use to get root?

 

Someone that exceed my newbie knowledge, that can beat Axis non-executable and ASLR on both stack and heap, which means researching ROP chains for ARM and MIPS.

No GOT?

Take the challenge to develop reliable exploit. 

I see Axis cameras are not listed on the BusyBox Products/Projects page: https://www.busybox.net/products.html. I would not be surprised if this would be updated after this article :-)

"If you distribute BusyBox without making the source code to the version you distribute available, you violate the license terms, and thus infringe on the copyrights of BusyBox"... does Axis make the source available?

#6, I've asked Axis for a response and will post back when received.

For others, the quote above is from BusyBox's license page.

From the third party license file for a P3367 camera

To request source code for all open source software included in this
product, send a letter to the address below. In the letter, please
state the following:

* Product name and firmware version
* Name and postal delivery address
* Billing address

The requested code will be sent to you on a CD at a charge of 20 USD,
to cover distribution costs.

Axis IPR Department Contact Information:

IPR Department
Axis Communications AB
Emdalav�gen 14
SE-223 69 Lund
Sweden

Thanks U#2... a good open source corporate citizen... nice to see.

I have not seen anyone so far that don't run BusyBox.

I have not seen anyone so far that don't run BusyBox

Here you go:

Take the challenge and be the first to develop an exploit.

I already have one, albeit slightly limited. Took a couple of hours since I'm not an expert - tells you something about how trivial they are to exploit. I just haven't had the time to finish it and report to Arecont since I've been very busy with personal life. If bashis or someone else wants to claim it, I can share what I have, but I have the hunch they wouldn't even need those pointers, as bashis for example is way more knowledgeable with these things than I am.

I feel these cams could allow for pretty unique exploits too, much more severe than typical IP cams.

Read this IPVM report for free.

This article is part of IPVM's 6,438 reports, 865 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Access Credential Form Factor Tutorial on Feb 10, 2020
Deciding which access control credential to use and distribute, including...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Access Control ADA and Disability Laws Tutorial on Feb 17, 2020
Safe access control is paramount, especially for those with...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI,...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...
Hikvision Fever Screening Thermal Solutions Examined on Apr 13, 2020
Hikvision is marketing "safer, faster, smarter" with their Fever Screening...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...

Recent Reports

VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...