Axis OrwellLabs Exploit Tested

Published Jul 29, 2016 11:44 AM

Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical security vulnerability.

However, we have tested this exploit and it is not of much practical risk. In this report, we explain how the exploit works, demonstrate it in a video screencast, comment on other security issues and contrast to the Bashis exploit we tested.

Summary Exploit

You have to login as root to execute this exploit, which mostly defeats the danger of the exploit.

While the exploit does allow execution of arbitrary commands, an attacker who knows the root password anyway could do that through SSH, which is also available to root users. 

Update: As a commenter notes, for Axis cameras online with defaulted or easily guessed / discovered root passwords, this could allow root access that might be otherwise not available if the port used for SSH is blocked / filtered.

The exploit occurs from the ACAP / camera application section of the Axis camera web interface.

Not Fixed

Interestingly, though the researcher disclosed this many months ago, this is not fixed in the newest Axis camera firmware. It should be, as it certainly is not supposed to work and could provide some opportunity for problems.

Update: this was fixed in subsequent Axis firmware.

Exploit Demonstrated

The video below shows the exploit in action:


Other Security Risks

While reviewing this exploit a few other second tier security issues are worth noting:

  • ACAP, where this exploit was found, is reported by multiple Axis application partners as exposing risks. Partners say that Axis does not appropriately sandbox applications (think apps on an iPhone) and that this could result in badly behaving apps creating performance problems or inserting malware.
  • Axis does not provide a logout option on the web interface, which is a modest security risk if the user does not shut down the entire browser and someone else uses the computer.
  • Axis does not restrict multiple login attempts which could help a brute force, dictionary style attack.

Contrast to Bashis / Format String Exploit

While we see little practical risk of the OrwellLabs exploit, the Bashis Remote Format String exploit is a major risk. The key difference is that the Bashis one does not require authentication, i.e., as long as you can connect to the camera over a network, you do not need to know root password but you can get root access. This is a major difference and a significant risk for the later.

Comments are shown for subscribers only. Login or Join