Axis FMS Vulnerability 2016 Tested

By: Ethan Ace, Published on Jul 21, 2016

Full disclosure by the researcher of the Axis critical security vulnerability has been made.

But what does this mean? Does it even work? What can you do?

In this report, we share our test findings of how we were able to hack Axis cameras using this disclosure, showing this in a video screencast, plus what is most at risk and what the limitations are.

Key ********

*** *** ******** *******:

  • ****: **** ** *** a *********** *************. ** very **** *** *** us *** **** ****** of ******* **** *******.
  • **********: *** ****** ************** ** *** *************** *** ** ********. This *** *** * vague ** *********** *********** but * ******* ***********.
  • ******: *** ******** ****** only ***** **** * single ****** ** * time *** ******** ******** the ***** ******** *** each **** ****** ********. Of ******, * **** adversary ***** ***** **** this ** ******** ********* multiple ******* *** ****** multiple ********* ***********.
  • ********* *****: **** ****** ** Axis *******, ** *******, allowed ** ** *** some ***** ******** (**** killing *** ***** ******, rebooting *** ******, *********** **** ******* ******** / ******** *****, ***.).** **** *** **** to *** ****** ** the **** ***** *********** ***** ******** / services *** *** ********, by *******, ** **** uses*******, * ***** **** Unix ***** *****. ******:** **** **** ** change *** *** **** password *** *** ****** to **** ***** ******* **** *** *************.
  • ***** ****** ********: ** **** ******* Linux ************** *** ******* skills, *** ***** ** were **** ** ** a ****** ** ****** fairly ******, ** ******* better *** **** ********* techs ***** ***** * lot **** ********.

******* **** **** ****** firmware, ********** *** ***********. Even ** *** *** sure ** ********* *** access *** *******, ***** is * ***** * risk **** ** ******* or ******** ***** **** advantage ** ****.

Demonstration ** *** ****

** **** *****, ** demonstrate * **** ** an ** *** **** broadcasting ** **** ****** and *** ** ****** our *** ****** ** kill *** ***** ****** and ******* ****.*** **** web ********.

************, * ****** (*** infamous *********** *) *** able ** ****** *** Axis ******'* *** ********* with * ***** ************'*, shown *****:

Axis ******** ***** ********

*** ******* ***** **** Axis *** ***** **** "the ******* ** **** sophisticated." *** ********** *** did **** ** ******* very ******* ** ***** by******* ******* *** ****** / ****** ******.

*** ******* ** **** the '*******' **** ** now ****. **** *** people ***** ****** ****** this *** ** ***** own *** **** *** provided ******, ** ** far ****** ** ***** upon **** *** ********* it.

********, ****** * **** since ********** (*** *), Axis *** *** ******* any ** *** ****** document (*.*.,*,*,*) ** ****** *** documentation ** **** ** clear **** *** ********** has **** **** *** that ** ******** * script **** ***** ** much ****** *** *** broader ****** / *********** to **** ********* ** it.

Upgrade **** *******

******** ****** ******* ***** Axis ******* ***********. **** is **** **** ****** now **** *** ********** has ******** * ******* script *** ** ********* through **** *********** ** vulnerabilities.

Comments (22)

Everyone should upgrade their Axis cameras immediately.

Now that the exploit is published, one should reset the camera to defaults first, before upgrading the firmware, by using the hard button.

Because the camera may be already compromised now, and so may not even allow the upgrade to the firmware, or worse it just acts like its upgrading the firmware but does nothing.

by using the hard button.

You mean physically going to each camera?

Yes, is there another more effective alternative?

Related:Axis, Pay Integrators To Fix Your Critical Defect

Now with Truck Roll.

I do not think you will convince many integrators to do that, the cost would go up astronomically.

I agree, they probably won't.

Certainly if you are on site or have assistance on site I think you should do it.

Using the reset button will not necessarily be enough... it is theoretically possible that the camera contains a modified, compromised binfile. 

Binfile modification / reverse engineering is a much more complicated hack, but is it becoming more commonplace.  The recent Sony vulnerability was discovered through de-compiling the firmware bin file.  During this process, a more skilled entity can re-verse their process and rebuild the firmware file with modified properties.

The best way to deal with this if it is believed your device(s) have been compromised would be the following:

1. Disconnect all remote access, isolate the network

2. Reflash all devices via FTP / command line with a new firmware image directly from Axis.

3. Explore all other devices, servers on network and determine if they have been compromised, take action as needed.

3. Review, make changes, and implement network / security policy on network before reconnecting to internet.

Expensive process.  Not necessary for most situations, but for some customers, it might be necessary.

With this particular vulnerability, reversing the firmware was not even necessary to do to persist across resets.

Using Axis' own persistence mechanism one could survive a reset and even firmware upgrade without eliminating unauthorized access.

Axis devices can't easily have modified binary files on root FS since the root FS is R/O (if you don't remount as R/W of course). However, there is parts of mounted file system that can contain additional code as it's R/W by default.

Factory Default should be used if you think it has been compromised, as normal upgrade of FW do save all configuration _including_ the part of R/W FS.

I would suggest first to reset back to Factory Default, then upgrade FW to latest available (or even same FW version), and all should be done offline (at least no Internet access).

By doing this, you would take away potential additional evil code and potential modified binaries.

I can't shake awareness that this vulnerability extends to other Axis product as well, including Axis A1001 access controllers.

Admittedly, the camera population outweighs the door controller population by several orders of magnitude here (Axis just doesn't sell that many A1001s), but if you are using them, this exploit isn't just some theoretical risk with a spitball implementation.

You're looking at those controlled doors and other physical protective security barriers being exploited, not just surveillance cameras.

What's bad about that website http://www.insecam.org/ is they use the direct IPs for the devices inside the HTML.

Someone could easily just run a simple web crawler, extract every IP from this site for every camera, amend the Axis script and pretty much kill every axis camera there!

Just a tech tip,

YES, a factory default reset can be achieved by using the Axis Camera Management application (free download here). This tool can be also used to perform the firmware upgrades of a group of cameras programming the time to do it in sequential mode (to avoid all cameras downtime simultaneously).

To use this tool the only need is to have HTTP link to the camera from the ACM application.

Alberto, what 1 is getting at is that if the camera has already been rooted and taken over that an attacker could spoof a response to that request from ACM, saying that the camera was factory defaulted when it was not.

Of course, the risk of a hack so complete so soon in so many places is unlikely.

Though I do think that Alberto's suggestion has merit, as only someone with deep Axis knowledge would think to do much more than a simple "Firmware is up to date" message on the web interface. So using ACM should be less prone to tampering.

Also, the hard button, while avoiding network based attacks/spoofs, ultimately calls some script on the camera, so that could be compromised, if someone knew what they were doing.

John,

Seems like everything can be done by hackers, but simulating that factory default has been made without actually reset the camera sounds quite "creative" . At least after the factory default all parameters and settings have to appear as reset (but left unchanged to keep the hack). Very much unlikely. I still recommend to use the tool, if it actually does not reset the camera, then hard reset is the last option.

Just a few comments to share:

Exploit works only on camera Web Server Port not on other network listenning services.

Publised PoC (reverse shell) is fully ussable by an attacker (as Ethan mentioned hard part is done) but, to exploit vulnerability, its necesary to assert "guess" proc architecture and firmware Version, if not is useless. Writing different shellcode than PoC reverse shell its hard work since its cross-platform Hex ASM code.

So if your cameras are published on internet behind a firewall, with firewall content filtering capabilities (such as linux iptables or standalone ones: Cisco, Fortinet, etc) you could add some deny rules to restrict outbound traffic (new connectings) to any remote ip for Cameras. This will avoid the reverse shell connection establishment by a remote Internet Attacker, thus avoiding hijacking.

If your cameras are published into the internet by having a Fixed Public IP, nothing to do prevent, hurry up updating firmware since is very easy to be exploit, (because firmware and model, needed by the script could obtained from the Ftp login banner of the camera).

Same situation if you feel an attacker could have accesss to the same VLAN of the cameras.

At this time, Compromissing the camera needs, reverse shell code ejecution in order to wrote changes on the flash config, zone such as /etc. And the only way to get rid off this potential issue is to reset to factory setting after firmware update that fixes vulnerability.

Resets all parameters, except the IP parameters, to the original factory settings is good enough to get rid of scripts and malefic code injections and safe to be done remotely.

Do not forget, to follow Axis as possible: http://www.axis.com/files/sales/AXIS_Hardening_Guide_1488265_en_1510.pdf

The official name of this exploit is:

[Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon

PACS = Physical Access Control Software

Yet I don't know what MPQT stands for, does anyone?

My best guesses:

Multi-protocol Queueing* Transceiver

Multi-protocol Quality Transmission

Multi-protocol Query Tool

*Queueing has 5 vowels in a row, a personal high for me.

MPQT are just the first letters of the Axis products in the directory tree, e.g. M3004, P3367, Q1755, T8415...

Please note that while you covered the IP address of the camera in the first video, in 0:49 you can see it in the script.
Not sure its important or not.

At this point in time did Axis release its firmware update that fixes the problem or havn't they yet?

Itamar, firmware for some but not all Axis cameras were released on June 29th, covered here. Today, from the service release doc, all Axis devices are reported upgraded except for:

As for the covered IP, I see it flashing for less than a second at the 53 second mark. That said, there are thousands of Axis cameras at Insecam's website which makes for a treasure trove.

The practical problem is that many / most people delay on firmware upgrades, compounded by Axis slow / limited communication and continued failure to make clear that a working program now exists that simplifies attacking / rooting Axis devices.

Sorry for asking what is probably a stupid question but does this test now show that the recommendation from Axis that only cameras connected directly to the Internet need immediate upgrade, and those that are connected via an NVR behind a firewall can be carried out on the next maintenance visit as incorrect advice? as below

Cameras connected to an Axis or third party VMS/NVR which are then connected to the internet are at low risk and could have their firmware’s updated at the next maintenance visit?

  1. Correct.

    The route into the customers LAN is via the VMS/NVR hence the camera isn’t exposed, or connected to the internet. The exploit would have to be performed from inside the End Users organisation.

2, where is that statement from? Is it from an Axis email? I could not find it online.

That noted, I think it's better to upgrade immediately.

One, there may be other openings / vulnerabilities to one's network that the organization is not aware. Two, with a working script available on the public Internet, there could be someone on-site (whether employee or contractor) who might take advantage of it.

The probability of attack is probably low but the severity of being able to root Axis devices is high, which would motivate a prudent manager to upgrade asap.

Let me know where that statement is from, thanks!

that's a response I received from our Axis account manager to my inquiries . Many thanks for the work and advice you are providing on this subject.

Read this IPVM report for free.

This article is part of IPVM's 6,534 reports, 880 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...
Startup Solink $17 Million USD Fund Raise Expands To Mass Market on Jun 24, 2020
Solink has raised ~$17 million USD, a sizeable round for the company that...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
WatchNET Presents Long Range Wireless Automation Sensors on May 05, 2020
WatchNet IoT presented its commercial, long-range automation sensor...
YOLOv5 Released Amidst Controversy on Jul 27, 2020
YOLO has gained significant attention within video surveillance for its...
Avigilon Open Analytics Tested on Apr 16, 2020
After years of effectively closed analytics, Avigilon decided in late 2018 to...
"Fever Camera" Online Show June 2020 - On-Demand Recordings on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show....

Recent Reports

OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...