Axis OrwellLabs Exploit Tested

Author: IPVM Team, Published on Jul 29, 2016

Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical security vulnerability.

However, we have tested this exploit and it is not of much practical risk. In this report, we explain how the exploit works, demonstrate it in a video screencast, comment on other security issues and contrast to the Bashis exploit we tested.

******* ******* *** **** ******** *** **** ******* (********** **** ************* ****** ******* *********), **** **** * ***** ********* ******** ******** *************.

*******, ** **** ****** **** ******* *** ** ** *** of **** ********* ****. ** **** ******, ** ******* *** the ******* *****, *********** ** ** * ***** **********, ******* on ***** ******** ****** *** ********** *** ****** ******* ** ******.

[***************]

Summary *******

*** **** ** ***** ** **** ** ******* **** *******, which ****** ******* *** ****** ** *** *******.

***** *** ******* **** ***** ********* ** ********* ********, ** attacker *** ***** *** **** ******** ****** ***** ** **** through ***, ***** ** **** ********* ** **** *****.

******: ** * ********* *****, *** **** ******* ****** **** defaulted ** ****** ******* / ********** **** *********, **** ***** allow **** ****** **** ***** ** ********* *** ********* ** the **** **** *** *** ** ******* / ********.

*** ******* ****** **** *** **** / ****** *********** ******* of *** **** ****** *** *********.

*** *****

*************, ****** *** ********** ********* **** **** ****** ***, **** is *** ***** ** *** ****** **** ****** ********. ** should **, ** ** ********* ** *** ******** ** **** and ***** ******* **** *********** *** ********.

Exploit ************

*** ***** ***** ***** *** ******* ** ******:

Other ******** *****

***** ********* **** ******* * *** ***** ****** **** ******** issues *** ***** ******:

  • ****, ***** **** ******* *** *****, ** ******** ** ******** Axis *********** ******** ** ******** *****. ******** *** **** **** does *** ************* ******* ************ (***** **** ** ** ******) and **** **** ***** ****** ** ***** ******** **** ******** performance ******** ** ********* *******.
  • **** **** *** ******* * ****** ****** ** *** *** interface, ***** ** * ****** ******** **** ** *** **** does *** **** **** *** ****** ******* *** ******* **** uses *** ********.
  • **** **** *** ******** ******** ***** ******** ***** ***** **** a ***** *****, ********** ***** ******.

Contrast ** ****** / ****** ****** *******

***** ** *** ****** ********* **** ** *** ********** *******, the****** ****** ****** ****** ********* * ***** ****. *** *** ********** ** **** *** Bashis *** **** *** ******* **************, *.*., ** **** ** you *** ******* ** *** ****** **** * *******, *** do *** **** ** **** **** ******** *** *** *** get **** ******. **** ** * ***** ********** *** * significant **** *** *** *****.

Comments (22)

***** ** ** *** ** ************ ** *** ****** *******, it ***** ** * **** ****** *** ****** **** **** fixed ** ******* *** ** *** *******.

***** ** **** ****** **** * **** ****** **** ****/******* passwords ** **** *** **** **** **** ** ******* *** get ****.

*****'* ** ****** ******* *** *** **** ** **** **** security ********** *** * ***** **'* **** **** ******** ** take ** **** ** *** *** ** *** ***** *************

** *** ******* **** *** *****/**** ********, *** ********* ** a ******* **** ******** *****/**** ********? ********* ***** ** ** is *********** ** "*** ********** ****" ** **** **** **********... try *** ******* ** *** ********** ****, ** **** ****** privileges, **** ***** ****** ****.. *********, ***** **** ****** ** ssh *******...

** ****** **, **** ****** **** "*******" ** *** ********** user **** *** **** *** ** ****, *** ** *****'* work. ** **** * ** ********** **** **** ***** *** recognise **** ** ** "*************" ** ***** ********.

*******, * ** ***** ** **** *** **** **'* * bug, *** ****** ** *****, *** *****... **** ***** ** exploited ** *** ****** ** ** **** ********** ******* **** Axis ****.

***** ***, **** ** ****** "*******" ** ********... ***** ** say, *** *** ** *** ****** **'* **** ***** ******* substance...

*** "*******" ***** ** ******** ** "* **** ****** ** neighbours *******, *** * ****** ** ***** *** *** **** before".

**'* *** ***** ********.

****'* * ******** **** *** ** ********* ***** ***** **** bug.

*** **** **** ** *** **** *** **** ** ****. It's **** **** **** ** *** *** **** *** *** enable ***.

*** **** ******* *** ************ *****'* **** *** ***use ssh remotely. Because the firewall probably isn't open for that port, and changing the port for ssh to 80 would kill the video.

** **** ******* *** ** ****?

All **** ******* **** **** *** ******* ****:**** ********* *** **** ** ****** *** ****** ******* ** *** ********.

*** **** ** ****?

****, ** ****** **** ***** ** ****** ****** ****, ** you **** ** *** ******** **********, ***** * *****:

**** ******* *** ** ********* *** **** * *** ***, as ** ****** *** ** *****.
******** ***** *** ***** ****, ** ** *** ** **** ***...

* *** ***** **** * **** **** ** *** ** practical ***, ** *** ** ***** * ***** ****-*** ***.

**'* ** ****** *******, *** ******** **** ****:**** ************* ** gives *** **** ****** *** ********.

**** ***** ** **** **************** *** ** ****'* ******* *******.

*** **** **** ***** **.

**** *** **** ** *** ***.

*** *** ** **** *** ****.

**** **** *** *** ***.

****'* *** *******?

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

********* *** *******, **'* ******** ********, *** ***'* **** ******** - *** **** ** ** ******** **** ** *** **.

** *** ***** ** "******* ****" *** **** ****** **********, then * ***** *** ********.

*** ***** * ***** **** ** ****** ** *** ****** of *** "*********" ****-************ **** ** ***** *** **** ****** of ******* ********.

** ***** ** ***, * ******** ******* ** ****** *** novel *********** ** ******* ******** ***-******** ******** ******* ******** ** a ******* ***** ** ****** * ******** *************. **** ******** in * **** ******* *** ** ***.

**** ** *** ** ** ********* ** *** *** ********** behaviors ** ****. ******* ** **** **** *** ****** ****, how *** **** ******** *** ******** ** *** ****** ** a *****?

******** **** "******* *** ** ** ****** ******* *****, ** is ***** ********** ****** ******* *********, *** * *** ** reason *** **** ** *** ** *******. ** ***, **** it * *******... :)

** ****** **** ***** ** *** *** ***, *** *** it *** ** ***** *********** ** *** *** **** *** the **** ***** ** ******** ** *** **** ****.

*** *****, *** *** ******* ** ** **** ** ** used.

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

******* *** **** *** ********* **** *** ******* * ****** shell ******** ********* ********.

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

*****. ***** ******** ** ***. ***** ******** ***** *** **choose a password, many for nostalgic reasons choose root:pass. Because it makes it easier for them. This was a brilliant move on Axis part as it allowed them to tout their security but allowed integrators who didn't like it to effectively not use it. After all what's the difference between login in with root:pass or typing pass:pass the first time.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

* **** ** ******** *********, **** *** ****** *****?

*******, * ***** **** **** ** *** * ***** **** just ******* *** ***** ******* * ******* ***** ** **** by ******* *** ***** *** ***** *** ***** ********.*** *** to ****** **** ******* ****, ****** ** *********. *** **** is * **** *** **** *** ********* ** ********* ** VAPIX, ***** ** **** *** ****** ******* ****.

**** **************** ** **** **** ** "********" ** ******.

** *

**'* * ***, ******* ****. *** ***, ** ****** ** fixed.

** ***** ********* *** **** ****** ** ****, *** ********* you ** **** ********* *** *** ******* ******* ** ****** in. **** ****** *******.

*** ******* ********* **** **** ** "*******" **** *** ******* need ** ** **** ** ******* (*.*. *** **** ***** and ******** *** ****) ** *******, ** ***** "***********". **** you *** ****, *** **** ********** ** **** *****, *** you *** ** ******** *** ***** **** **. ******* ***** you. *** **** ****** ******* **** *****. **'* ** ** your ***********.

**'* ******** ******** ** **** **** ** "****" ** **** "vulnerability", **'* ******* **** **** ******* "******" **** *******. ***, there ***** * ***, *** ******* *** ***, *** **** to ** ****. ***** *** *** - ****!

** *** *** ******* **** (***'* *** '****'), ***** ** 'n00b', *** **** '****' ********** **** **** ** ****** "*******", i ***** ***** **** *** ****** - *** ** **'* now, **.. * ** ***. **'* ** ******* *** ****.

**** ** **** **** ** *** * *********** ***** ******* cutting *** ***** **** **** ****** * ******** **** **** port ** ****.

*** **** ****.

**** **** *** ****? **** ***? ** **** **** ** in *** ***?

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** ** ** Linux ********* ** **** **** ***** *** ********, * **** show *** ** ******* **** *****.

*** *** ** *** ***** *******.

*** ***** *** **** ****** **** "********" ********* ** ********* along *** ***** **:

* ***'* ******* **** **** ******* ******* * **** ****** to **** ******* ** *** ****, ***** ** ******** **** to *** ** *** ***** *****, *** ********* ******* ***** be **** ** ******* *** **** ****** **** ***** *******, even ******* * ******* ****** ******* ********* ***.

***********, * ********* **** ******* **** ********** ******** ** ******* to ******** ** *****, ** ** ***** ** **** ** part ** ******* **** ******** ******* ** *** ****** ** not ********** *** *******.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** **....

**, ****** ** * ***** ******** *.**, ******* *********, *********** set ** ****:****. ** ******. **** ** ** *********.

*** **** ***** **** *** *'** ******* *** *******... :)

** **** *****, * *** ******* ****:

****://***.***.*.*/***********.*****?***=**********%****%*****.***.*.*%*******%**-*%**/***/**

**** ****** * ****** *****. ***** *** ** ***** ****, but * ***'* ***** *** *** ****** ** ******* **** knowledge ** **** ************.

** *** *** ******** ********** *********** **

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

** ***** ** **** *****, ***** ** ** **** ** crontab, *** *** /*** ********** ** **** ****.

******** ***, ** **** ******* ****** ** ** *** *** as ****, ** ***** *** ** *-*** ********… (**** ****** code)

***** **** "**" ***’* **** *** "-*" ******, *** **** instead:

****://***.***.*.*/***********.*****?***=;******%**/***/*;**%**-*%***%*****.***.*.*%*******%***%**/***/*|/***/**%**/***/*%***%**/***/*;**%**/***/*

********** ***** ** ******** ** ****** **** ***** ***** ** code ** /***/****/*****.

# *** /***/****/*****/****.*****


**** ****:

****://***.***.*.*/*****/****.*****?**=***.***.*.*&****=*****

***** **** ** *****'* **** *** -* ******.

*** *** ** **, **'* ****' ****** ******* ** ****.

** *** **** *** ***** ******* ** ** (******* -*) out ***** * ***?

*** ***** ***** *** **** ** * ***** ******.

**, *** ****** *** ***** ** **** *** ** ******* a *******, ******* **** ******** * ****. **'* **** * little ***** *** *** **** *** **** * **** ****?

********, *'* *** ** **** ****** ***..

**, **** * **** ***!

*.*. **** *** **** ***-** * ******* **** ***** **** and * ** *********?

**** ** *** **** **** *** *** **** ******* *** from *** ****** *** **** ** ****** *** *** ****** remotely?

****, * **** *** *** *** ***** **** ******** *** have ** ******** *** ***** ******** ** ***** ********* *** explain *** **** ****** **** ***** ********!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Camera Calculator Class and IPVM Member Orientation October 2016 on Sep 28, 2016
Members, learn how to better design video surveillance systems and get the most out of your IPVM memberships with 2 upcoming live classes. Both...
Axis 4MP Camera Tested (M3046-V) on Sep 28, 2016
Axis has brought 4MP to its camera line in the new M3046-V, the highest resolution model in their revamped M30 series. We bought and tested this...
Hiring Spree At Aimetis 6 Months After Being Acquired on Sep 28, 2016
Aimetis was acquired in April 2016, and is now expanding almost all of their departments, hiring employees from Axis and other industry...
Camio Natural Language Processing Tested on Sep 27, 2016
The ex-Googler led team from Camio has advanced its video monitoring offering to include natural language processing. Camio ingests video,...
Access Door Controller Configuration Guide on Sep 27, 2016
Properly configuring access control door controllers is key to a professional system. These devices have fundamental settings that must be...
Hacked Dahua Cameras Drive Massive Cyber Attack on Sep 27, 2016
Cyber attacks are accelerating and IP cameras are behind many of them. Worse, last week, a 'massive' attack was carried out using numerous Dahua...
Axis Secretly Paid Anixter Sales People To Push Axis NVRs on Sep 26, 2016
Internal Axis communication shows how Axis paid Anixter and Tri-Ed sales people with secret bonuses to push Axis NVRs. In this report, we examine...
VLANs for Video Surveillance Tutorial on Sep 26, 2016
Many people confidently say to 'use VLANs' as an answer to IP video networking problems and as a way to signal expertise. But how should VLANs be...
Ambarella CEO Admits H.265 and 4K Not Popular on Sep 26, 2016
Ambarella is the main chip provider for high-end surveillance cameras driving higher resolution and new CODECs. While Ambarella has been pushing...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact