Axis OrwellLabs Exploit Tested

Author: IPVM Team, Published on Jul 29, 2016

Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical security vulnerability.

However, we have tested this exploit and it is not of much practical risk. In this report, we explain how the exploit works, demonstrate it in a video screencast, comment on other security issues and contrast to the Bashis exploit we tested.

******* ******* *** **** ******** *** **** ******* (********** **** ************* ****** ******* *********), **** **** * ***** ********* ******** ******** *************.

*******, ** **** ****** **** ******* *** ** ** *** of **** ********* ****. ** **** ******, ** ******* *** the ******* *****, *********** ** ** * ***** **********, ******* on ***** ******** ****** *** ********** *** ****** ******* ** ******.

[***************]

Summary *******

*** **** ** ***** ** **** ** ******* **** *******, which ****** ******* *** ****** ** *** *******.

***** *** ******* **** ***** ********* ** ********* ********, ** attacker *** ***** *** **** ******** ****** ***** ** **** through ***, ***** ** **** ********* ** **** *****.

******: ** * ********* *****, *** **** ******* ****** **** defaulted ** ****** ******* / ********** **** *********, **** ***** allow **** ****** **** ***** ** ********* *** ********* ** the **** **** *** *** ** ******* / ********.

*** ******* ****** **** *** **** / ****** *********** ******* of *** **** ****** *** *********.

*** *****

*************, ****** *** ********** ********* **** **** ****** ***, **** is *** ***** ** *** ****** **** ****** ********. ** should **, ** ** ********* ** *** ******** ** **** and ***** ******* **** *********** *** ********.

******: **** *** ***** ** ********** **** ********.

Exploit ************

*** ***** ***** ***** *** ******* ** ******:

Other ******** *****

***** ********* **** ******* * *** ***** ****** **** ******** issues *** ***** ******:

  • ****, ***** **** ******* *** *****, ** ******** ** ******** Axis *********** ******** ** ******** *****. ******** *** **** **** does *** ************* ******* ************ (***** **** ** ** ******) and **** **** ***** ****** ** ***** ******** **** ******** performance ******** ** ********* *******.
  • **** **** *** ******* * ****** ****** ** *** *** interface, ***** ** * ****** ******** **** ** *** **** does *** **** **** *** ****** ******* *** ******* **** uses *** ********.
  • **** **** *** ******** ******** ***** ******** ***** ***** **** a ***** *****, ********** ***** ******.

Contrast ** ****** / ****** ****** *******

***** ** *** ****** ********* **** ** *** ********** *******, the****** ****** ****** ****** ********* * ***** ****. *** *** ********** ** **** *** Bashis *** **** *** ******* **************, *.*., ** **** ** you *** ******* ** *** ****** **** * *******, *** do *** **** ** **** **** ******** *** *** *** get **** ******. **** ** * ***** ********** *** * significant **** *** *** *****.

Comments (22)

***** ** ** *** ** ************ ** *** ****** *******, it ***** ** * **** ****** *** ****** **** **** fixed ** ******* *** ** *** *******.

***** ** **** ****** **** * **** ****** **** ****/******* passwords ** **** *** **** **** **** ** ******* *** get ****.

*****'* ** ****** ******* *** *** **** ** **** **** security ********** *** * ***** **'* **** **** ******** ** take ** **** ** *** *** ** *** ***** *************

** *** ******* **** *** *****/**** ********, *** ********* ** a ******* **** ******** *****/**** ********? ********* ***** ** ** is *********** ** "*** ********** ****" ** **** **** **********... try *** ******* ** *** ********** ****, ** **** ****** privileges, **** ***** ****** ****.. *********, ***** **** ****** ** ssh *******...

** ****** **, **** ****** **** "*******" ** *** ********** user **** *** **** *** ** ****, *** ** *****'* work. ** **** * ** ********** **** **** ***** *** recognise **** ** ** "*************" ** ***** ********.

*******, * ** ***** ** **** *** **** **'* * bug, *** ****** ** *****, *** *****... **** ***** ** exploited ** *** ****** ** ** **** ********** ******* **** Axis ****.

***** ***, **** ** ****** "*******" ** ********... ***** ** say, *** *** ** *** ****** **'* **** ***** ******* substance...

*** "*******" ***** ** ******** ** "* **** ****** ** neighbours *******, *** * ****** ** ***** *** *** **** before".

**'* *** ***** ********.

****'* * ******** **** *** ** ********* ***** ***** **** bug.

*** **** **** ** *** **** *** **** ** ****. It's **** **** **** ** *** *** **** *** *** enable ***.

*** **** ******* *** ************ *****'* **** *** ***use ssh remotely. Because the firewall probably isn't open for that port, and changing the port for ssh to 80 would kill the video.

** **** ******* *** ** ****?

All **** ******* **** **** *** ******* ****:**** ********* *** **** ** ****** *** ****** ******* ** *** ********.

*** **** ** ****?

****, ** ****** **** ***** ** ****** ****** ****, ** you **** ** *** ******** **********, ***** * *****:

**** ******* *** ** ********* *** **** * *** ***, as ** ****** *** ** *****.
******** ***** *** ***** ****, ** ** *** ** **** ***...

* *** ***** **** * **** **** ** *** ** practical ***, ** *** ** ***** * ***** ****-*** ***.

**'* ** ****** *******, *** ******** **** ****:**** ************* ** gives *** **** ****** *** ********.

**** ***** ** **** **************** *** ** ****'* ******* *******.

*** **** **** ***** **.

**** *** **** ** *** ***.

*** *** ** **** *** ****.

**** **** *** *** ***.

****'* *** *******?

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

********* *** *******, **'* ******** ********, *** ***'* **** ******** - *** **** ** ** ******** **** ** *** **.

** *** ***** ** "******* ****" *** **** ****** **********, then * ***** *** ********.

*** ***** * ***** **** ** ****** ** *** ****** of *** "*********" ****-************ **** ** ***** *** **** ****** of ******* ********.

** ***** ** ***, * ******** ******* ** ****** *** novel *********** ** ******* ******** ***-******** ******** ******* ******** ** a ******* ***** ** ****** * ******** *************. **** ******** in * **** ******* *** ** ***.

**** ** *** ** ** ********* ** *** *** ********** behaviors ** ****. ******* ** **** **** *** ****** ****, how *** **** ******** *** ******** ** *** ****** ** a *****?

******** **** "******* *** ** ** ****** ******* *****, ** is ***** ********** ****** ******* *********, *** * *** ** reason *** **** ** *** ** *******. ** ***, **** it * *******... :)

** ****** **** ***** ** *** *** ***, *** *** it *** ** ***** *********** ** *** *** **** *** the **** ***** ** ******** ** *** **** ****.

*** *****, *** *** ******* ** ** **** ** ** used.

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

******* *** **** *** ********* **** *** ******* * ****** shell ******** ********* ********.

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

*****. ***** ******** ** ***. ***** ******** ***** *** **choose a password, many for nostalgic reasons choose root:pass. Because it makes it easier for them. This was a brilliant move on Axis part as it allowed them to tout their security but allowed integrators who didn't like it to effectively not use it. After all what's the difference between login in with root:pass or typing pass:pass the first time.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

* **** ** ******** *********, **** *** ****** *****?

*******, * ***** **** **** ** *** * ***** **** just ******* *** ***** ******* * ******* ***** ** **** by ******* *** ***** *** ***** *** ***** ********.*** *** to ****** **** ******* ****, ****** ** *********. *** **** is * **** *** **** *** ********* ** ********* ** VAPIX, ***** ** **** *** ****** ******* ****.

**** **************** ** **** **** ** "********" ** ******.

** *

**'* * ***, ******* ****. *** ***, ** ****** ** fixed.

** ***** ********* *** **** ****** ** ****, *** ********* you ** **** ********* *** *** ******* ******* ** ****** in. **** ****** *******.

*** ******* ********* **** **** ** "*******" **** *** ******* need ** ** **** ** ******* (*.*. *** **** ***** and ******** *** ****) ** *******, ** ***** "***********". **** you *** ****, *** **** ********** ** **** *****, *** you *** ** ******** *** ***** **** **. ******* ***** you. *** **** ****** ******* **** *****. **'* ** ** your ***********.

**'* ******** ******** ** **** **** ** "****" ** **** "vulnerability", **'* ******* **** **** ******* "******" **** *******. ***, there ***** * ***, *** ******* *** ***, *** **** to ** ****. ***** *** *** - ****!

** *** *** ******* **** (***'* *** '****'), ***** ** 'n00b', *** **** '****' ********** **** **** ** ****** "*******", i ***** ***** **** *** ****** - *** ** **'* now, **.. * ** ***. **'* ** ******* *** ****.

**** ** **** **** ** *** * *********** ***** ******* cutting *** ***** **** **** ****** * ******** **** **** port ** ****.

*** **** ****.

**** **** *** ****? **** ***? ** **** **** ** in *** ***?

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** ** ** Linux ********* ** **** **** ***** *** ********, * **** show *** ** ******* **** *****.

*** *** ** *** ***** *******.

*** ***** *** **** ****** **** "********" ********* ** ********* along *** ***** **:

* ***'* ******* **** **** ******* ******* * **** ****** to **** ******* ** *** ****, ***** ** ******** **** to *** ** *** ***** *****, *** ********* ******* ***** be **** ** ******* *** **** ****** **** ***** *******, even ******* * ******* ****** ******* ********* ***.

***********, * ********* **** ******* **** ********** ******** ** ******* to ******** ** *****, ** ** ***** ** **** ** part ** ******* **** ******** ******* ** *** ****** ** not ********** *** *******.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** **....

**, ****** ** * ***** ******** *.**, ******* *********, *********** set ** ****:****. ** ******. **** ** ** *********.

*** **** ***** **** *** *'** ******* *** *******... :)

** **** *****, * *** ******* ****:

****://***.***.*.*/***********.*****?***=**********%****%*****.***.*.*%*******%**-*%**/***/**

**** ****** * ****** *****. ***** *** ** ***** ****, but * ***'* ***** *** *** ****** ** ******* **** knowledge ** **** ************.

** *** *** ******** ********** *********** **

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

** ***** ** **** *****, ***** ** ** **** ** crontab, *** *** /*** ********** ** **** ****.

******** ***, ** **** ******* ****** ** ** *** *** as ****, ** ***** *** ** *-*** ********… (**** ****** code)

***** **** "**" ***’* **** *** "-*" ******, *** **** instead:

****://***.***.*.*/***********.*****?***=;******%**/***/*;**%**-*%***%*****.***.*.*%*******%***%**/***/*|/***/**%**/***/*%***%**/***/*;**%**/***/*

********** ***** ** ******** ** ****** **** ***** ***** ** code ** /***/****/*****.

# *** /***/****/*****/****.*****


**** ****:

****://***.***.*.*/*****/****.*****?**=***.***.*.*&****=*****

***** **** ** *****'* **** *** -* ******.

*** *** ** **, **'* ****' ****** ******* ** ****.

** *** **** *** ***** ******* ** ** (******* -*) out ***** * ***?

*** ***** ***** *** **** ** * ***** ******.

**, *** ****** *** ***** ** **** *** ** ******* a *******, ******* **** ******** * ****. **'* **** * little ***** *** *** **** *** **** * **** ****?

********, *'* *** ** **** ****** ***..

**, **** * **** ***!

*.*. **** *** **** ***-** * ******* **** ***** **** and * ** *********?

**** ** *** **** **** *** *** **** ******* *** from *** ****** *** **** ** ****** *** *** ****** remotely?

****, * **** *** *** *** ***** **** ******** *** have ** ******** *** ***** ******** ** ***** ********* *** explain *** **** ****** **** ***** ********!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

May 2018 Camera Course on Apr 25, 2018
Save $50 on early registration until this Thursday, the 26th. Register now (save $50) for the Spring 2018 Camera Course This is the only...
Death Of A Dummy Camera Manufacturer on Apr 25, 2018
5 years ago, IPVM gathered insights from a dummy camera manufacturer, who was then the top selling dummy camera provider on Amazon and 3rd in all...
Hikvision Critical Cloud Vulnerability Disclosed on Apr 25, 2018
Security researchers Vangelis Stykas and George Lavdanis discovered a vulnerability in Hikvision's HikConnect cloud service that: just by...
The Yolo Bro And The Death of Journalism on Apr 24, 2018
There's an old quote: The job of the newspaper is to comfort the afflicted and afflict the comfortable Unfortunately, the opposite is more...
DMP Adds Ring Video Doorbell Integration on Apr 24, 2018
Video doorbells have become one of the hottest items for security systems. After several years with no doorbell, DMP has announced integration with...
Milestone 2017 Financials Examined on Apr 24, 2018
For ISC West 2018, Milestone released ... their financials, touting "strong revenue growth in 2017". However, there were discrepancies with the...
Chinese Manufacturer Kickstarter Campaign Huge Success (EverCam) on Apr 23, 2018
In a week, a Chinese manufacturer's expertly done Kickstarter campaign has received $1.4 million in pledges, an incredible amount for a video...
Favorite Biometrics 2018 on Apr 23, 2018
Biometrics are on the rise, or at least integrator opposition to them is declining, according to new IPVM integrator statistics.   Almost half of...
Dahua and Hikvision Win Over $1 Billion In Government-Backed Projects In Xinjiang on Apr 23, 2018
Dahua and Hikvision have won well over $1 billion worth of government-backed surveillance projects in China’s restive Xinjiang province since 2016,...
Global Real-Time Video Surveillance - EarthNow on Apr 20, 2018
A new company, EarthNow, with backing from Bill Gates, Airbus and more, is claiming that: Users will be able to see places on Earth with a delay...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact