Axis FMS Vulnerability 2016 Tested

By: Ethan Ace, Published on Jul 21, 2016

Full disclosure by the researcher of the Axis critical security vulnerability has been made.

But what does this mean? Does it even work? What can you do?

In this report, we share our test findings of how we were able to hack Axis cameras using this disclosure, showing this in a video screencast, plus what is most at risk and what the limitations are.

**** ********** ** *** researcher ** ******* ******** ******** **************** **** ****.

*** **** **** **** mean? **** ** **** work? **** *** *** do?

** **** ******, ** share *** **** ******** of *** ** **** able ** **** **** cameras ***** **** **********, showing **** ** * video **********, **** **** is **** ** **** and **** *** *********** are.

[***************]

Key ********

*** *** ******** *******:

  • ****: **** ** *** a *********** *************. ** very **** *** *** us *** **** ****** of ******* **** *******.
  • **********: *** ****** ************** ** *** *************** *** ** ********. This *** *** * vague ** *********** *********** but * ******* ***********.
  • ******: *** ******** ****** only ***** **** * single ****** ** * time *** ******** ******** the ***** ******** *** each **** ****** ********. Of ******, * **** adversary ***** ***** **** this ** ******** ********* multiple ******* *** ****** multiple ********* ***********.
  • ********* *****: **** ****** ** Axis *******, ** *******, allowed ** ** *** some ***** ******** (**** killing *** ***** ******, rebooting *** ******, *********** **** ******* ******** / ******** *****, ***.).** **** *** **** to *** ****** ** the **** ***** *********** ***** ******** / services *** *** ********, by *******, ** **** uses*******, * ***** **** Unix ***** *****. ******:** **** **** ** change *** *** **** password *** *** ****** to **** ***** ******* **** *** *************.
  • ***** ****** ********: ** **** ******* Linux ************** *** ******* skills, *** ***** ** were **** ** ** a ****** ** ****** fairly ******, ** ******* better *** **** ********* techs ***** ***** * lot **** ********.

******* **** **** ****** firmware, ********** *** ***********. Even ** *** *** sure ** ********* *** access *** *******, ***** is * ***** * risk **** ** ******* or ******** ***** **** advantage ** ****.

Demonstration ** *** ****

** **** *****, ** demonstrate * **** ** an ** *** **** broadcasting ** **** ****** and *** ** ****** our *** ****** ** kill *** ***** ****** and ******* ****.*** **** web ********.

************, * ****** (*** infamous *********** *) *** able ** ****** *** Axis ******'* *** ********* with * ***** ************'*, shown *****:

Axis ******** ***** ********

*** ******* ***** **** Axis *** ***** **** "the ******* ** **** sophisticated." *** ********** *** did **** ** ******* very ******* ** ***** by******* ******* *** ****** / ****** ******.

*** ******* ** **** the '*******' **** ** now ****. **** *** people ***** ****** ****** this *** ** ***** own *** **** *** provided ******, ** ** far ****** ** ***** upon **** *** ********* it.

********, ****** * **** since ********** (*** *), Axis *** *** ******* any ** *** ****** document (*.*.,*,*,*) ** ****** *** documentation ** **** ** clear **** *** ********** has **** **** *** that ** ******** * script **** ***** ** much ****** *** *** broader ****** / *********** to **** ********* ** it.

Upgrade **** *******

******** ****** ******* ***** Axis ******* ***********. **** is **** **** ****** now **** *** ********** has ******** * ******* script *** ** ********* through **** *********** ** vulnerabilities.

Comments (22)

Everyone should upgrade their Axis cameras immediately.

Now that the exploit is published, one should reset the camera to defaults first, before upgrading the firmware, by using the hard button.

Because the camera may be already compromised now, and so may not even allow the upgrade to the firmware, or worse it just acts like its upgrading the firmware but does nothing.

by using the hard button.

You mean physically going to each camera?

Yes, is there another more effective alternative?

Related:Axis, Pay Integrators To Fix Your Critical Defect

Now with Truck Roll.

I do not think you will convince many integrators to do that, the cost would go up astronomically.

I agree, they probably won't.

Certainly if you are on site or have assistance on site I think you should do it.

Using the reset button will not necessarily be enough... it is theoretically possible that the camera contains a modified, compromised binfile. 

Binfile modification / reverse engineering is a much more complicated hack, but is it becoming more commonplace.  The recent Sony vulnerability was discovered through de-compiling the firmware bin file.  During this process, a more skilled entity can re-verse their process and rebuild the firmware file with modified properties.

The best way to deal with this if it is believed your device(s) have been compromised would be the following:

1. Disconnect all remote access, isolate the network

2. Reflash all devices via FTP / command line with a new firmware image directly from Axis.

3. Explore all other devices, servers on network and determine if they have been compromised, take action as needed.

3. Review, make changes, and implement network / security policy on network before reconnecting to internet.

Expensive process.  Not necessary for most situations, but for some customers, it might be necessary.

With this particular vulnerability, reversing the firmware was not even necessary to do to persist across resets.

Using Axis' own persistence mechanism one could survive a reset and even firmware upgrade without eliminating unauthorized access.

Axis devices can't easily have modified binary files on root FS since the root FS is R/O (if you don't remount as R/W of course). However, there is parts of mounted file system that can contain additional code as it's R/W by default.

Factory Default should be used if you think it has been compromised, as normal upgrade of FW do save all configuration _including_ the part of R/W FS.

I would suggest first to reset back to Factory Default, then upgrade FW to latest available (or even same FW version), and all should be done offline (at least no Internet access).

By doing this, you would take away potential additional evil code and potential modified binaries.

I can't shake awareness that this vulnerability extends to other Axis product as well, including Axis A1001 access controllers.

Admittedly, the camera population outweighs the door controller population by several orders of magnitude here (Axis just doesn't sell that many A1001s), but if you are using them, this exploit isn't just some theoretical risk with a spitball implementation.

You're looking at those controlled doors and other physical protective security barriers being exploited, not just surveillance cameras.

What's bad about that website http://www.insecam.org/ is they use the direct IPs for the devices inside the HTML.

Someone could easily just run a simple web crawler, extract every IP from this site for every camera, amend the Axis script and pretty much kill every axis camera there!

Just a tech tip,

YES, a factory default reset can be achieved by using the Axis Camera Management application (free download here). This tool can be also used to perform the firmware upgrades of a group of cameras programming the time to do it in sequential mode (to avoid all cameras downtime simultaneously).

To use this tool the only need is to have HTTP link to the camera from the ACM application.

Alberto, what 1 is getting at is that if the camera has already been rooted and taken over that an attacker could spoof a response to that request from ACM, saying that the camera was factory defaulted when it was not.

Of course, the risk of a hack so complete so soon in so many places is unlikely.

Though I do think that Alberto's suggestion has merit, as only someone with deep Axis knowledge would think to do much more than a simple "Firmware is up to date" message on the web interface. So using ACM should be less prone to tampering.

Also, the hard button, while avoiding network based attacks/spoofs, ultimately calls some script on the camera, so that could be compromised, if someone knew what they were doing.

John,

Seems like everything can be done by hackers, but simulating that factory default has been made without actually reset the camera sounds quite "creative" . At least after the factory default all parameters and settings have to appear as reset (but left unchanged to keep the hack). Very much unlikely. I still recommend to use the tool, if it actually does not reset the camera, then hard reset is the last option.

Just a few comments to share:

Exploit works only on camera Web Server Port not on other network listenning services.

Publised PoC (reverse shell) is fully ussable by an attacker (as Ethan mentioned hard part is done) but, to exploit vulnerability, its necesary to assert "guess" proc architecture and firmware Version, if not is useless. Writing different shellcode than PoC reverse shell its hard work since its cross-platform Hex ASM code.

So if your cameras are published on internet behind a firewall, with firewall content filtering capabilities (such as linux iptables or standalone ones: Cisco, Fortinet, etc) you could add some deny rules to restrict outbound traffic (new connectings) to any remote ip for Cameras. This will avoid the reverse shell connection establishment by a remote Internet Attacker, thus avoiding hijacking.

If your cameras are published into the internet by having a Fixed Public IP, nothing to do prevent, hurry up updating firmware since is very easy to be exploit, (because firmware and model, needed by the script could obtained from the Ftp login banner of the camera).

Same situation if you feel an attacker could have accesss to the same VLAN of the cameras.

At this time, Compromissing the camera needs, reverse shell code ejecution in order to wrote changes on the flash config, zone such as /etc. And the only way to get rid off this potential issue is to reset to factory setting after firmware update that fixes vulnerability.

Resets all parameters, except the IP parameters, to the original factory settings is good enough to get rid of scripts and malefic code injections and safe to be done remotely.

Do not forget, to follow Axis as possible: http://www.axis.com/files/sales/AXIS_Hardening_Guide_1488265_en_1510.pdf

The official name of this exploit is:

[Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon

PACS = Physical Access Control Software

Yet I don't know what MPQT stands for, does anyone?

My best guesses:

Multi-protocol Queueing* Transceiver

Multi-protocol Quality Transmission

Multi-protocol Query Tool

*Queueing has 5 vowels in a row, a personal high for me.

MPQT are just the first letters of the Axis products in the directory tree, e.g. M3004, P3367, Q1755, T8415...

Please note that while you covered the IP address of the camera in the first video, in 0:49 you can see it in the script.
Not sure its important or not.

At this point in time did Axis release its firmware update that fixes the problem or havn't they yet?

Itamar, firmware for some but not all Axis cameras were released on June 29th, covered here. Today, from the service release doc, all Axis devices are reported upgraded except for:

As for the covered IP, I see it flashing for less than a second at the 53 second mark. That said, there are thousands of Axis cameras at Insecam's website which makes for a treasure trove.

The practical problem is that many / most people delay on firmware upgrades, compounded by Axis slow / limited communication and continued failure to make clear that a working program now exists that simplifies attacking / rooting Axis devices.

Sorry for asking what is probably a stupid question but does this test now show that the recommendation from Axis that only cameras connected directly to the Internet need immediate upgrade, and those that are connected via an NVR behind a firewall can be carried out on the next maintenance visit as incorrect advice? as below

Cameras connected to an Axis or third party VMS/NVR which are then connected to the internet are at low risk and could have their firmware’s updated at the next maintenance visit?

  1. Correct.

    The route into the customers LAN is via the VMS/NVR hence the camera isn’t exposed, or connected to the internet. The exploit would have to be performed from inside the End Users organisation.

2, where is that statement from? Is it from an Axis email? I could not find it online.

That noted, I think it's better to upgrade immediately.

One, there may be other openings / vulnerabilities to one's network that the organization is not aware. Two, with a working script available on the public Internet, there could be someone on-site (whether employee or contractor) who might take advantage of it.

The probability of attack is probably low but the severity of being able to root Axis devices is high, which would motivate a prudent manager to upgrade asap.

Let me know where that statement is from, thanks!

that's a response I received from our Axis account manager to my inquiries . Many thanks for the work and advice you are providing on this subject.

Read this IPVM report for free.

This article is part of IPVM's 6,307 reports, 842 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Mobotix First CNPP CCTV Cybersecurity Certification Examined on Sep 05, 2019
Mobotix recently became the first video surveillance manufacturer to receive the CNPP cybsersecurity certification for its cameras, in which they...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...

Most Recent Industry Reports

JCI / Tyco Security Products Layoffs on Jun 05, 2020
Johnson Controls / Tyco Security Products has confirmed COVID-19 related layoffs, expanding upon the April coronavirus cuts the company previously...
EyePark Presents Mobile Driver Authentication on Jun 05, 2020
EyePark presented its long-range QR code parking verification platform at the May 2020 IPVM Startups show. A 30-minute video from EyePark...
Bleenco "Under The Tongue" Temperature Detection Examined on Jun 05, 2020
"Say aah", says Bleenco, a PPE detection video analytics company, offering a different method for measuring body temperature with a thermal...
Hikvision and Uniview Entry Level Thermal Handheld Cameras Tested on Jun 05, 2020
While most screening systems cost $10,000 or more, manufacturers such as Hikvision and Uniview have now released handheld models for $1,000 or...
Sequr Presents HID based Cloud Access Control on Jun 04, 2020
Sequr presented HID based Cloud Access Control at the May 2020 IPVM Startups show. Inside this report: A 30-minute video from Sequr...
VergeSense Presents People Tracking Sensor on Jun 04, 2020
VergeSense presented its people tracking sensor and social distancing insights at the May 2020 IPVM Startups show. A 30-minute video from...
FLIR A Series Temperature Screening Cameras Tested on Jun 04, 2020
FLIR is one of the biggest names in thermal and one of the most conservative. While rivals have marketed fever detection, FLIR has stuck to EST...
"Fever Camera" Show On-Demand Watch Now on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show. Recordings from both days are posted at the end of this report for on-demand...
Cobalt Robotics Presents Indoor Security and Access Robots on Jun 03, 2020
Cobalt Robotics presented indoor security robots at the May 2020 IPVM Startups show. Inside this report: A 30-minute video from Cobalt...
Dahua Sues Ex-North American President, Says Legal Typo on Jun 03, 2020
Dahua's former North American President Frank Zhang claims he is owed almost $11 million but Dahua counter claims it is just a "scrivener's error",...