Axis FMS Vulnerability 2016 Tested

Author: Ethan Ace, Published on Jul 21, 2016

Full disclosure by the researcher of the Axis critical security vulnerability has been made.

But what does this mean? Does it even work? What can you do?

In this report, we share our test findings of how we were able to hack Axis cameras using this disclosure, showing this in a video screencast, plus what is most at risk and what the limitations are.

**** ********** ** *** ********** ** ******* ******** ******** **************** **** ****.

*** **** **** **** ****? **** ** **** ****? **** can *** **?

** **** ******, ** ***** *** **** ******** ** *** we **** **** ** **** **** ******* ***** **** **********, showing **** ** * ***** **********, **** **** ** **** at **** *** **** *** *********** ***.

[***************]

Key ********

*** *** ******** *******:

  • ****: **** ** *** * *********** *************. ** **** **** did *** ** *** **** ****** ** ******* **** *******.
  • **********: *** ****** ************** ** *** *************** *** ** ********. **** *** *** * ***** ** qualitative *********** *** * ******* ***********.
  • ******: *** ******** ****** **** ***** **** * ****** ****** at * **** *** ******** ******** *** ***** ******** *** each **** ****** ********. ** ******, * **** ********* ***** build **** **** ** ******** ********* ******** ******* *** ****** multiple ********* ***********.
  • ********* *****: **** ****** ** **** *******, ** *******, ******* ** to *** **** ***** ******** (**** ******* *** ***** ******, rebooting *** ******, *********** **** ******* ******** / ******** *****, ***.).** **** *** **** ** *** ****** ** *** **** video *********** ***** ******** / ******** *** *** ********, ** *******, as **** ***********, * ***** **** **** ***** *****. ******:** **** **** ** ****** *** *** **** ******** *** get ****** ** **** ***** ******* **** *** *************.
  • ***** ****** ********: ** **** ******* ***** ************** *** ******* ******, *** while ** **** **** ** ** * ****** ** ****** fairly ******, ** ******* ****** *** **** ********* ***** ***** cause * *** **** ********.

******* **** **** ****** ********, ********** *** ***********. **** ** you *** **** ** ********* *** ****** *** *******, ***** is * ***** * **** **** ** ******* ** ******** could **** ********* ** ****.

Demonstration ** *** ****

** **** *****, ** *********** * **** ** ** ** day **** ************ ** **** ****** *** *** ** ****** our *** ****** ** **** *** ***** ****** *** ******* Axis.com **** *** ********.

************, * ****** (*** ******** *********** *) *** **** ** deface *** **** ******'* *** ********* **** * ***** ************'*, shown *****:

Axis ******** ***** ********

*** ******* ***** **** **** *** ***** **** "*** ******* is **** *************." *** ********** *** *** **** ** ******* very ******* ** ***** ********* ******* *** ****** / ****** ******.

*** ******* ** **** *** '*******' **** ** *** ****. Very *** ****** ***** ****** ****** **** *** ** ***** own *** **** *** ******** ******, ** ** *** ****** to ***** **** **** *** ********* **.

********, ****** * **** ***** ********** (*** *), **** *** not ******* *** ** *** ****** ******** (*.*.,*,*,*) ** ****** *** ************* ** **** ** ***** **** the ********** *** **** **** *** **** ** ******** * script **** ***** ** **** ****** *** *** ******* ****** / *********** ** **** ********* ** **.

Upgrade **** *******

******** ****** ******* ***** **** ******* ***********. **** ** **** more ****** *** **** *** ********** *** ******** * ******* script *** ** ********* ******* **** *********** ** ***************.

Comments (22)

Everyone should upgrade their Axis cameras immediately.

Now that the exploit is published, one should reset the camera to defaults first, before upgrading the firmware, by using the hard button.

Because the camera may be already compromised now, and so may not even allow the upgrade to the firmware, or worse it just acts like its upgrading the firmware but does nothing.

by using the hard button.

You mean physically going to each camera?

Yes, is there another more effective alternative?

Related:Axis, Pay Integrators To Fix Your Critical Defect

Now with Truck Roll.

I do not think you will convince many integrators to do that, the cost would go up astronomically.

I agree, they probably won't.

Certainly if you are on site or have assistance on site I think you should do it.

Using the reset button will not necessarily be enough... it is theoretically possible that the camera contains a modified, compromised binfile.

Binfile modification / reverse engineering is a much more complicated hack, but is it becoming more commonplace. The recent Sony vulnerability was discovered through de-compiling the firmware bin file. During this process, a more skilled entity can re-verse their process and rebuild the firmware file with modified properties.

The best way to deal with this if it is believed your device(s) have been compromised would be the following:

1. Disconnect all remote access, isolate the network

2. Reflash all devices via FTP / command line with a new firmware image directly from Axis.

3. Explore all other devices, servers on network and determine if they have been compromised, take action as needed.

3. Review, make changes, and implement network / security policy on network before reconnecting to internet.

Expensive process. Not necessary for most situations, but for some customers, it might be necessary.

With this particular vulnerability, reversing the firmware was not even necessary to do to persist across resets.

Using Axis' own persistence mechanism one could survive a reset and even firmware upgrade without eliminating unauthorized access.

Axis devices can't easily have modified binary files on root FS since the root FS is R/O (if you don't remount as R/W of course). However, there is parts of mounted file system that can contain additional code as it's R/W by default.

Factory Default should be used if you think it has been compromised, as normal upgrade of FW do save all configuration _including_ the part of R/W FS.

I would suggest first to reset back to Factory Default, then upgrade FW to latest available (or even same FW version), and all should be done offline (at least no Internet access).

By doing this, you would take away potential additional evil code and potential modified binaries.

I can't shake awareness that this vulnerability extends to other Axis product as well, including Axis A1001 access controllers.

Admittedly, the camera population outweighs the door controller population by several orders of magnitude here (Axis just doesn't sell that many A1001s), but if you are using them, this exploit isn't just some theoretical risk with a spitball implementation.

You're looking at those controlled doors and other physical protective security barriers being exploited, not just surveillance cameras.

What's bad about that website http://www.insecam.org/ is they use the direct IPs for the devices inside the HTML.

Someone could easily just run a simple web crawler, extract every IP from this site for every camera, amend the Axis script and pretty much kill every axis camera there!

Just a tech tip,

YES, a factory default reset can be achieved by using the Axis Camera Management application (free download here). This tool can be also used to perform the firmware upgrades of a group of cameras programming the time to do it in sequential mode (to avoid all cameras downtime simultaneously).

To use this tool the only need is to have HTTP link to the camera from the ACM application.

Alberto, what 1 is getting at is that if the camera has already been rooted and taken over that an attacker could spoof a response to that request from ACM, saying that the camera was factory defaulted when it was not.

Of course, the risk of a hack so complete so soon in so many places is unlikely.

Though I do think that Alberto's suggestion has merit, as only someone with deep Axis knowledge would think to do much more than a simple "Firmware is up to date" message on the web interface. So using ACM should be less prone to tampering.

Also, the hard button, while avoiding network based attacks/spoofs, ultimately calls some script on the camera, so that could be compromised, if someone knew what they were doing.

John,

Seems like everything can be done by hackers, but simulating that factory default has been made without actually reset the camera sounds quite "creative" . At least after the factory default all parameters and settings have to appear as reset (but left unchanged to keep the hack). Very much unlikely. I still recommend to use the tool, if it actually does not reset the camera, then hard reset is the last option.

Just a few comments to share:

Exploit works only on camera Web Server Port not on other network listenning services.

Publised PoC (reverse shell) is fully ussable by an attacker (as Ethan mentioned hard part is done) but, to exploit vulnerability, its necesary to assert "guess" proc architecture and firmware Version, if not is useless. Writing different shellcode than PoC reverse shell its hard work since its cross-platform Hex ASM code.

So if your cameras are published on internet behind a firewall, with firewall content filtering capabilities (such as linux iptables or standalone ones: Cisco, Fortinet, etc) you could add some deny rules to restrict outbound traffic (new connectings) to any remote ip for Cameras. This will avoid the reverse shell connection establishment by a remote Internet Attacker, thus avoiding hijacking.

If your cameras are published into the internet by having a Fixed Public IP, nothing to do prevent, hurry up updating firmware since is very easy to be exploit, (because firmware and model, needed by the script could obtained from the Ftp login banner of the camera).

Same situation if you feel an attacker could have accesss to the same VLAN of the cameras.

At this time, Compromissing the camera needs, reverse shell code ejecution in order to wrote changes on the flash config, zone such as /etc. And the only way to get rid off this potential issue is to reset to factory setting after firmware update that fixes vulnerability.

Resets all parameters, except the IP parameters, to the original factory settings is good enough to get rid of scripts and malefic code injections and safe to be done remotely.

Do not forget, to follow Axis as possible: http://www.axis.com/files/sales/AXIS_Hardening_Guide_1488265_en_1510.pdf

The official name of this exploit is:

[Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon

PACS = Physical Access Control Software

Yet I don't know what MPQT stands for, does anyone?

My best guesses:

Multi-protocol Queueing* Transceiver

Multi-protocol Quality Transmission

Multi-protocol Query Tool

*Queueing has 5 vowels in a row, a personal high for me.

MPQT are just the first letters of the Axis products in the directory tree, e.g. M3004, P3367, Q1755, T8415...

Please note that while you covered the IP address of the camera in the first video, in 0:49 you can see it in the script.
Not sure its important or not.

At this point in time did Axis release its firmware update that fixes the problem or havn't they yet?

Itamar, firmware for some but not all Axis cameras were released on June 29th, covered here. Today, from the service release doc, all Axis devices are reported upgraded except for:

As for the covered IP, I see it flashing for less than a second at the 53 second mark. That said, there are thousands of Axis cameras at Insecam's website which makes for a treasure trove.

The practical problem is that many / most people delay on firmware upgrades, compounded by Axis slow / limited communication and continued failure to make clear that a working program now exists that simplifies attacking / rooting Axis devices.

Sorry for asking what is probably a stupid question but does this test now show that the recommendation from Axis that only cameras connected directly to the Internet need immediate upgrade, and those that are connected via an NVR behind a firewall can be carried out on the next maintenance visit as incorrect advice? as below

Cameras connected to an Axis or third party VMS/NVR which are then connected to the internet are at low risk and could have their firmware’s updated at the next maintenance visit?

  1. Correct.

    The route into the customers LAN is via the VMS/NVR hence the camera isn’t exposed, or connected to the internet. The exploit would have to be performed from inside the End Users organisation.

2, where is that statement from? Is it from an Axis email? I could not find it online.

That noted, I think it's better to upgrade immediately.

One, there may be other openings / vulnerabilities to one's network that the organization is not aware. Two, with a working script available on the public Internet, there could be someone on-site (whether employee or contractor) who might take advantage of it.

The probability of attack is probably low but the severity of being able to root Axis devices is high, which would motivate a prudent manager to upgrade asap.

Let me know where that statement is from, thanks!

that's a response I received from our Axis account manager to my inquiries . Many thanks for the work and advice you are providing on this subject.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

'Sticker' Surveillance Camera Developed (CSEM Witness) on Nov 16, 2018
The Swiss Center for Electronics and Microtechnology (CSEM) has announced what it calls the: world’s first fully autonomous camera that can be...
ISC East 2018 Mini-Show Final Report on Nov 16, 2018
This is our second (updated) and final show report from ISC East. ISC East, by its own admission, is not a national or international show, billed...
Facial Detection Tested on Nov 16, 2018
Facial detection and recognition are increasingly offered by video surveillance manufacturers. Facial detection detects faces in an image/video...
Throughtek P2P/Cloud Solution Profile on Nov 15, 2018
Many IoT manufacturers either do not have the capabilities or the interest to develop their own cloud management software for their devices....
ASIS Offering Custom Research For Manufacturers on Nov 15, 2018
Manufacturers often want to know what industry people think about trends and, in particular, the segments and product they offer.  ASIS and its...
Hikvision Silent on "Bad Architectural Practices" Cybersecurity Report on Nov 14, 2018
A 'significant vulnerability was found in Hikvision cameras' by VDOO, a startup cybersecurity specialist. Hikvision has fixed the specific...
French Government Threatens School with $1.7M Fine For “Excessive Video Surveillance” on Nov 14, 2018
The French government has notified a high-profile Paris coding academy that it risks a fine of up to 1.5 million euros (about $1.7m) if it...
Integrator Credit Card Alternative Divvy on Nov 13, 2018
Most security integrators are small businesses but large enough that they have various employees that need to be able to expense various charges as...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact