Axis FMS Vulnerability 2016 Tested

Author: Ethan Ace, Published on Jul 21, 2016

Full disclosure by the researcher of the Axis critical security vulnerability has been made.

But what does this mean? Does it even work? What can you do?

In this report, we share our test findings of how we were able to hack Axis cameras using this disclosure, showing this in a video screencast, plus what is most at risk and what the limitations are.

**** ********** ** *** ********** ** ******* ******** ******** **************** **** ****.

*** **** **** **** ****? **** ** **** ****? **** can *** **?

** **** ******, ** ***** *** **** ******** ** *** we **** **** ** **** **** ******* ***** **** **********, showing **** ** * ***** **********, **** **** ** **** at **** *** **** *** *********** ***.

[***************]

Key ********

*** *** ******** *******:

  • ****: **** ** *** * *********** *************. ** **** **** did *** ** *** **** ****** ** ******* **** *******.
  • **********: *** ****** ************** ** *** *************** *** ** ********. **** *** *** * ***** ** qualitative *********** *** * ******* ***********.
  • ******: *** ******** ****** **** ***** **** * ****** ****** at * **** *** ******** ******** *** ***** ******** *** each **** ****** ********. ** ******, * **** ********* ***** build **** **** ** ******** ********* ******** ******* *** ****** multiple ********* ***********.
  • ********* *****: **** ****** ** **** *******, ** *******, ******* ** to *** **** ***** ******** (**** ******* *** ***** ******, rebooting *** ******, *********** **** ******* ******** / ******** *****, ***.).** **** *** **** ** *** ****** ** *** **** video *********** ***** ******** / ******** *** *** ********, ** *******, as **** ***********, * ***** **** **** ***** *****. ******:** **** **** ** ****** *** *** **** ******** *** get ****** ** **** ***** ******* **** *** *************.
  • ***** ****** ********: ** **** ******* ***** ************** *** ******* ******, *** while ** **** **** ** ** * ****** ** ****** fairly ******, ** ******* ****** *** **** ********* ***** ***** cause * *** **** ********.

******* **** **** ****** ********, ********** *** ***********. **** ** you *** **** ** ********* *** ****** *** *******, ***** is * ***** * **** **** ** ******* ** ******** could **** ********* ** ****.

Demonstration ** *** ****

** **** *****, ** *********** * **** ** ** ** day **** ************ ** **** ****** *** *** ** ****** our *** ****** ** **** *** ***** ****** *** ******* Axis.com **** *** ********.

************, * ****** (*** ******** *********** *) *** **** ** deface *** **** ******'* *** ********* **** * ***** ************'*, shown *****:

Axis ******** ***** ********

*** ******* ***** **** **** *** ***** **** "*** ******* is **** *************." *** ********** *** *** **** ** ******* very ******* ** ***** ********* ******* *** ****** / ****** ******.

*** ******* ** **** *** '*******' **** ** *** ****. Very *** ****** ***** ****** ****** **** *** ** ***** own *** **** *** ******** ******, ** ** *** ****** to ***** **** **** *** ********* **.

********, ****** * **** ***** ********** (*** *), **** *** not ******* *** ** *** ****** ******** (*.*.,*,*,*) ** ****** *** ************* ** **** ** ***** **** the ********** *** **** **** *** **** ** ******** * script **** ***** ** **** ****** *** *** ******* ****** / *********** ** **** ********* ** **.

Upgrade **** *******

******** ****** ******* ***** **** ******* ***********. **** ** **** more ****** *** **** *** ********** *** ******** * ******* script *** ** ********* ******* **** *********** ** ***************.

Comments (22)

Everyone should upgrade their Axis cameras immediately.

Now that the exploit is published, one should reset the camera to defaults first, before upgrading the firmware, by using the hard button.

Because the camera may be already compromised now, and so may not even allow the upgrade to the firmware, or worse it just acts like its upgrading the firmware but does nothing.

by using the hard button.

You mean physically going to each camera?

Yes, is there another more effective alternative?

Related:Axis, Pay Integrators To Fix Your Critical Defect

Now with Truck Roll.

I do not think you will convince many integrators to do that, the cost would go up astronomically.

I agree, they probably won't.

Certainly if you are on site or have assistance on site I think you should do it.

Using the reset button will not necessarily be enough... it is theoretically possible that the camera contains a modified, compromised binfile.

Binfile modification / reverse engineering is a much more complicated hack, but is it becoming more commonplace. The recent Sony vulnerability was discovered through de-compiling the firmware bin file. During this process, a more skilled entity can re-verse their process and rebuild the firmware file with modified properties.

The best way to deal with this if it is believed your device(s) have been compromised would be the following:

1. Disconnect all remote access, isolate the network

2. Reflash all devices via FTP / command line with a new firmware image directly from Axis.

3. Explore all other devices, servers on network and determine if they have been compromised, take action as needed.

3. Review, make changes, and implement network / security policy on network before reconnecting to internet.

Expensive process. Not necessary for most situations, but for some customers, it might be necessary.

With this particular vulnerability, reversing the firmware was not even necessary to do to persist across resets.

Using Axis' own persistence mechanism one could survive a reset and even firmware upgrade without eliminating unauthorized access.

Axis devices can't easily have modified binary files on root FS since the root FS is R/O (if you don't remount as R/W of course). However, there is parts of mounted file system that can contain additional code as it's R/W by default.

Factory Default should be used if you think it has been compromised, as normal upgrade of FW do save all configuration _including_ the part of R/W FS.

I would suggest first to reset back to Factory Default, then upgrade FW to latest available (or even same FW version), and all should be done offline (at least no Internet access).

By doing this, you would take away potential additional evil code and potential modified binaries.

I can't shake awareness that this vulnerability extends to other Axis product as well, including Axis A1001 access controllers.

Admittedly, the camera population outweighs the door controller population by several orders of magnitude here (Axis just doesn't sell that many A1001s), but if you are using them, this exploit isn't just some theoretical risk with a spitball implementation.

You're looking at those controlled doors and other physical protective security barriers being exploited, not just surveillance cameras.

What's bad about that website http://www.insecam.org/ is they use the direct IPs for the devices inside the HTML.

Someone could easily just run a simple web crawler, extract every IP from this site for every camera, amend the Axis script and pretty much kill every axis camera there!

Just a tech tip,

YES, a factory default reset can be achieved by using the Axis Camera Management application (free download here). This tool can be also used to perform the firmware upgrades of a group of cameras programming the time to do it in sequential mode (to avoid all cameras downtime simultaneously).

To use this tool the only need is to have HTTP link to the camera from the ACM application.

Alberto, what 1 is getting at is that if the camera has already been rooted and taken over that an attacker could spoof a response to that request from ACM, saying that the camera was factory defaulted when it was not.

Of course, the risk of a hack so complete so soon in so many places is unlikely.

Though I do think that Alberto's suggestion has merit, as only someone with deep Axis knowledge would think to do much more than a simple "Firmware is up to date" message on the web interface. So using ACM should be less prone to tampering.

Also, the hard button, while avoiding network based attacks/spoofs, ultimately calls some script on the camera, so that could be compromised, if someone knew what they were doing.

John,

Seems like everything can be done by hackers, but simulating that factory default has been made without actually reset the camera sounds quite "creative" . At least after the factory default all parameters and settings have to appear as reset (but left unchanged to keep the hack). Very much unlikely. I still recommend to use the tool, if it actually does not reset the camera, then hard reset is the last option.

Just a few comments to share:

Exploit works only on camera Web Server Port not on other network listenning services.

Publised PoC (reverse shell) is fully ussable by an attacker (as Ethan mentioned hard part is done) but, to exploit vulnerability, its necesary to assert "guess" proc architecture and firmware Version, if not is useless. Writing different shellcode than PoC reverse shell its hard work since its cross-platform Hex ASM code.

So if your cameras are published on internet behind a firewall, with firewall content filtering capabilities (such as linux iptables or standalone ones: Cisco, Fortinet, etc) you could add some deny rules to restrict outbound traffic (new connectings) to any remote ip for Cameras. This will avoid the reverse shell connection establishment by a remote Internet Attacker, thus avoiding hijacking.

If your cameras are published into the internet by having a Fixed Public IP, nothing to do prevent, hurry up updating firmware since is very easy to be exploit, (because firmware and model, needed by the script could obtained from the Ftp login banner of the camera).

Same situation if you feel an attacker could have accesss to the same VLAN of the cameras.

At this time, Compromissing the camera needs, reverse shell code ejecution in order to wrote changes on the flash config, zone such as /etc. And the only way to get rid off this potential issue is to reset to factory setting after firmware update that fixes vulnerability.

Resets all parameters, except the IP parameters, to the original factory settings is good enough to get rid of scripts and malefic code injections and safe to be done remotely.

Do not forget, to follow Axis as possible: http://www.axis.com/files/sales/AXIS_Hardening_Guide_1488265_en_1510.pdf

The official name of this exploit is:

[Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon

PACS = Physical Access Control Software

Yet I don't know what MPQT stands for, does anyone?

My best guesses:

Multi-protocol Queueing* Transceiver

Multi-protocol Quality Transmission

Multi-protocol Query Tool

*Queueing has 5 vowels in a row, a personal high for me.

MPQT are just the first letters of the Axis products in the directory tree, e.g. M3004, P3367, Q1755, T8415...

Please note that while you covered the IP address of the camera in the first video, in 0:49 you can see it in the script.
Not sure its important or not.

At this point in time did Axis release its firmware update that fixes the problem or havn't they yet?

Itamar, firmware for some but not all Axis cameras were released on June 29th, covered here. Today, from the service release doc, all Axis devices are reported upgraded except for:

As for the covered IP, I see it flashing for less than a second at the 53 second mark. That said, there are thousands of Axis cameras at Insecam's website which makes for a treasure trove.

The practical problem is that many / most people delay on firmware upgrades, compounded by Axis slow / limited communication and continued failure to make clear that a working program now exists that simplifies attacking / rooting Axis devices.

Sorry for asking what is probably a stupid question but does this test now show that the recommendation from Axis that only cameras connected directly to the Internet need immediate upgrade, and those that are connected via an NVR behind a firewall can be carried out on the next maintenance visit as incorrect advice? as below

Cameras connected to an Axis or third party VMS/NVR which are then connected to the internet are at low risk and could have their firmware’s updated at the next maintenance visit?

  1. Correct.

    The route into the customers LAN is via the VMS/NVR hence the camera isn’t exposed, or connected to the internet. The exploit would have to be performed from inside the End Users organisation.

2, where is that statement from? Is it from an Axis email? I could not find it online.

That noted, I think it's better to upgrade immediately.

One, there may be other openings / vulnerabilities to one's network that the organization is not aware. Two, with a working script available on the public Internet, there could be someone on-site (whether employee or contractor) who might take advantage of it.

The probability of attack is probably low but the severity of being able to root Axis devices is high, which would motivate a prudent manager to upgrade asap.

Let me know where that statement is from, thanks!

that's a response I received from our Axis account manager to my inquiries . Many thanks for the work and advice you are providing on this subject.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Hikvision USA Starts Layoffs on Sep 18, 2018
Hikvision USA has started layoffs, just weeks after the US government ban was passed into law. Inside this note, we examine: The important...
Chinese Government Praises Hikvision For Following Xi Jinping on Sep 17, 2018
The Chinese government council responsible for managing China's state-owned companies praised Hikvision’s obedience to China’s authoritarian leader...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact