Axis OrwellLabs Exploit Tested

Author: IPVM Team, Published on Jul 29, 2016

Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical security vulnerability.

However, we have tested this exploit and it is not of much practical risk. In this report, we explain how the exploit works, demonstrate it in a video screencast, comment on other security issues and contrast to the Bashis exploit we tested.

******* ******* *** **** ******** *** **** ******* (********** **** ************* ****** ******* *********), **** **** * ***** ********* ******** ******** *************.

*******, ** **** ****** **** ******* *** ** ** *** of **** ********* ****. ** **** ******, ** ******* *** the ******* *****, *********** ** ** * ***** **********, ******* on ***** ******** ****** *** ********** *** ****** ******* ** ******.

[***************]

Summary *******

*** **** ** ***** ** **** ** ******* **** *******, which ****** ******* *** ****** ** *** *******.

***** *** ******* **** ***** ********* ** ********* ********, ** attacker *** ***** *** **** ******** ****** ***** ** **** through ***, ***** ** **** ********* ** **** *****.

******: ** * ********* *****, *** **** ******* ****** **** defaulted ** ****** ******* / ********** **** *********, **** ***** allow **** ****** **** ***** ** ********* *** ********* ** the **** **** *** *** ** ******* / ********.

*** ******* ****** **** *** **** / ****** *********** ******* of *** **** ****** *** *********.

*** *****

*************, ****** *** ********** ********* **** **** ****** ***, **** is *** ***** ** *** ****** **** ****** ********. ** should **, ** ** ********* ** *** ******** ** **** and ***** ******* **** *********** *** ********.

Exploit ************

*** ***** ***** ***** *** ******* ** ******:

Other ******** *****

***** ********* **** ******* * *** ***** ****** **** ******** issues *** ***** ******:

  • ****, ***** **** ******* *** *****, ** ******** ** ******** Axis *********** ******** ** ******** *****. ******** *** **** **** does *** ************* ******* ************ (***** **** ** ** ******) and **** **** ***** ****** ** ***** ******** **** ******** performance ******** ** ********* *******.
  • **** **** *** ******* * ****** ****** ** *** *** interface, ***** ** * ****** ******** **** ** *** **** does *** **** **** *** ****** ******* *** ******* **** uses *** ********.
  • **** **** *** ******** ******** ***** ******** ***** ***** **** a ***** *****, ********** ***** ******.

Contrast ** ****** / ****** ****** *******

***** ** *** ****** ********* **** ** *** ********** *******, the****** ****** ****** ****** ********* * ***** ****. *** *** ********** ** **** *** Bashis *** **** *** ******* **************, *.*., ** **** ** you *** ******* ** *** ****** **** * *******, *** do *** **** ** **** **** ******** *** *** *** get **** ******. **** ** * ***** ********** *** * significant **** *** *** *****.

Comments (22)

***** ** ** *** ** ************ ** *** ****** *******, it ***** ** * **** ****** *** ****** **** **** fixed ** ******* *** ** *** *******.

***** ** **** ****** **** * **** ****** **** ****/******* passwords ** **** *** **** **** **** ** ******* *** get ****.

*****'* ** ****** ******* *** *** **** ** **** **** security ********** *** * ***** **'* **** **** ******** ** take ** **** ** *** *** ** *** ***** *************

** *** ******* **** *** *****/**** ********, *** ********* ** a ******* **** ******** *****/**** ********? ********* ***** ** ** is *********** ** "*** ********** ****" ** **** **** **********... try *** ******* ** *** ********** ****, ** **** ****** privileges, **** ***** ****** ****.. *********, ***** **** ****** ** ssh *******...

** ****** **, **** ****** **** "*******" ** *** ********** user **** *** **** *** ** ****, *** ** *****'* work. ** **** * ** ********** **** **** ***** *** recognise **** ** ** "*************" ** ***** ********.

*******, * ** ***** ** **** *** **** **'* * bug, *** ****** ** *****, *** *****... **** ***** ** exploited ** *** ****** ** ** **** ********** ******* **** Axis ****.

***** ***, **** ** ****** "*******" ** ********... ***** ** say, *** *** ** *** ****** **'* **** ***** ******* substance...

*** "*******" ***** ** ******** ** "* **** ****** ** neighbours *******, *** * ****** ** ***** *** *** **** before".

**'* *** ***** ********.

****'* * ******** **** *** ** ********* ***** ***** **** bug.

*** **** **** ** *** **** *** **** ** ****. It's **** **** **** ** *** *** **** *** *** enable ***.

*** **** ******* *** ************ *****'* **** *** ***use ssh remotely. Because the firewall probably isn't open for that port, and changing the port for ssh to 80 would kill the video.

** **** ******* *** ** ****?

All **** ******* **** **** *** ******* ****:**** ********* *** **** ** ****** *** ****** ******* ** *** ********.

*** **** ** ****?

****, ** ****** **** ***** ** ****** ****** ****, ** you **** ** *** ******** **********, ***** * *****:

**** ******* *** ** ********* *** **** * *** ***, as ** ****** *** ** *****.
******** ***** *** ***** ****, ** ** *** ** **** ***...

* *** ***** **** * **** **** ** *** ** practical ***, ** *** ** ***** * ***** ****-*** ***.

**'* ** ****** *******, *** ******** **** ****:**** ************* ** gives *** **** ****** *** ********.

**** ***** ** **** **************** *** ** ****'* ******* *******.

*** **** **** ***** **.

**** *** **** ** *** ***.

*** *** ** **** *** ****.

**** **** *** *** ***.

****'* *** *******?

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

********* *** *******, **'* ******** ********, *** ***'* **** ******** - *** **** ** ** ******** **** ** *** **.

** *** ***** ** "******* ****" *** **** ****** **********, then * ***** *** ********.

*** ***** * ***** **** ** ****** ** *** ****** of *** "*********" ****-************ **** ** ***** *** **** ****** of ******* ********.

** ***** ** ***, * ******** ******* ** ****** *** novel *********** ** ******* ******** ***-******** ******** ******* ******** ** a ******* ***** ** ****** * ******** *************. **** ******** in * **** ******* *** ** ***.

**** ** *** ** ** ********* ** *** *** ********** behaviors ** ****. ******* ** **** **** *** ****** ****, how *** **** ******** *** ******** ** *** ****** ** a *****?

******** **** "******* *** ** ** ****** ******* *****, ** is ***** ********** ****** ******* *********, *** * *** ** reason *** **** ** *** ** *******. ** ***, **** it * *******... :)

** ****** **** ***** ** *** *** ***, *** *** it *** ** ***** *********** ** *** *** **** *** the **** ***** ** ******** ** *** **** ****.

*** *****, *** *** ******* ** ** **** ** ** used.

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

******* *** **** *** ********* **** *** ******* * ****** shell ******** ********* ********.

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

*****. ***** ******** ** ***. ***** ******** ***** *** **choose a password, many for nostalgic reasons choose root:pass. Because it makes it easier for them. This was a brilliant move on Axis part as it allowed them to tout their security but allowed integrators who didn't like it to effectively not use it. After all what's the difference between login in with root:pass or typing pass:pass the first time.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

* **** ** ******** *********, **** *** ****** *****?

*******, * ***** **** **** ** *** * ***** **** just ******* *** ***** ******* * ******* ***** ** **** by ******* *** ***** *** ***** *** ***** ********.*** *** to ****** **** ******* ****, ****** ** *********. *** **** is * **** *** **** *** ********* ** ********* ** VAPIX, ***** ** **** *** ****** ******* ****.

**** **************** ** **** **** ** "********" ** ******.

** *

**'* * ***, ******* ****. *** ***, ** ****** ** fixed.

** ***** ********* *** **** ****** ** ****, *** ********* you ** **** ********* *** *** ******* ******* ** ****** in. **** ****** *******.

*** ******* ********* **** **** ** "*******" **** *** ******* need ** ** **** ** ******* (*.*. *** **** ***** and ******** *** ****) ** *******, ** ***** "***********". **** you *** ****, *** **** ********** ** **** *****, *** you *** ** ******** *** ***** **** **. ******* ***** you. *** **** ****** ******* **** *****. **'* ** ** your ***********.

**'* ******** ******** ** **** **** ** "****" ** **** "vulnerability", **'* ******* **** **** ******* "******" **** *******. ***, there ***** * ***, *** ******* *** ***, *** **** to ** ****. ***** *** *** - ****!

** *** *** ******* **** (***'* *** '****'), ***** ** 'n00b', *** **** '****' ********** **** **** ** ****** "*******", i ***** ***** **** *** ****** - *** ** **'* now, **.. * ** ***. **'* ** ******* *** ****.

**** ** **** **** ** *** * *********** ***** ******* cutting *** ***** **** **** ****** * ******** **** **** port ** ****.

*** **** ****.

**** **** *** ****? **** ***? ** **** **** ** in *** ***?

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** ** ** Linux ********* ** **** **** ***** *** ********, * **** show *** ** ******* **** *****.

*** *** ** *** ***** *******.

*** ***** *** **** ****** **** "********" ********* ** ********* along *** ***** **:

* ***'* ******* **** **** ******* ******* * **** ****** to **** ******* ** *** ****, ***** ** ******** **** to *** ** *** ***** *****, *** ********* ******* ***** be **** ** ******* *** **** ****** **** ***** *******, even ******* * ******* ****** ******* ********* ***.

***********, * ********* **** ******* **** ********** ******** ** ******* to ******** ** *****, ** ** ***** ** **** ** part ** ******* **** ******** ******* ** *** ****** ** not ********** *** *******.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** **....

**, ****** ** * ***** ******** *.**, ******* *********, *********** set ** ****:****. ** ******. **** ** ** *********.

*** **** ***** **** *** *'** ******* *** *******... :)

** **** *****, * *** ******* ****:

****://***.***.*.*/***********.*****?***=**********%****%*****.***.*.*%*******%**-*%**/***/**

**** ****** * ****** *****. ***** *** ** ***** ****, but * ***'* ***** *** *** ****** ** ******* **** knowledge ** **** ************.

** *** *** ******** ********** *********** **

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

** ***** ** **** *****, ***** ** ** **** ** crontab, *** *** /*** ********** ** **** ****.

******** ***, ** **** ******* ****** ** ** *** *** as ****, ** ***** *** ** *-*** ********… (**** ****** code)

***** **** "**" ***’* **** *** "-*" ******, *** **** instead:

****://***.***.*.*/***********.*****?***=;******%**/***/*;**%**-*%***%*****.***.*.*%*******%***%**/***/*|/***/**%**/***/*%***%**/***/*;**%**/***/*

********** ***** ** ******** ** ****** **** ***** ***** ** code ** /***/****/*****.

# *** /***/****/*****/****.*****


**** ****:

****://***.***.*.*/*****/****.*****?**=***.***.*.*&****=*****

***** **** ** *****'* **** *** -* ******.

*** *** ** **, **'* ****' ****** ******* ** ****.

** *** **** *** ***** ******* ** ** (******* -*) out ***** * ***?

*** ***** ***** *** **** ** * ***** ******.

**, *** ****** *** ***** ** **** *** ** ******* a *******, ******* **** ******** * ****. **'* **** * little ***** *** *** **** *** **** * **** ****?

********, *'* *** ** **** ****** ***..

**, **** * **** ***!

*.*. **** *** **** ***-** * ******* **** ***** **** and * ** *********?

**** ** *** **** **** *** *** **** ******* *** from *** ****** *** **** ** ****** *** *** ****** remotely?

****, * **** *** *** *** ***** **** ******** *** have ** ******** *** ***** ******** ** ***** ********* *** explain *** **** ****** **** ***** ********!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

XiongMai Master Password List Emailed By Chinese Spammer on Dec 05, 2016
XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites. After pledging to recall cameras...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Door Operators Access Control Tutorial on Dec 05, 2016
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Pelco Favorability Results on Dec 02, 2016
This is the first in a series of studies of manufacturer favorability. 100+ integrators rated and explained their views of each manufacturer. We...
Hikvision CEO Declares 'We Do Not Cut Rates" on Dec 02, 2016
Hikvision has led another press trip to China, and this time Hikvision's CEO is sharing insights into their competitive strategy, including...
Network Security Audit App (March Networks) Examined on Dec 01, 2016
Verifying one's video surveillance devices are locked down against common cybersecurity vulnerabilities is increasing important, as hacks using...
FLIR Acquires Drone Manufacturer For $134M on Dec 01, 2016
FLIR has acquired Prox Dynamics, a Norwegian maker of small military-grade drones, for $134M.  FLIR president Andy Teich provided additional...
Down to $50 IP Cameras From Honeywell on Dec 01, 2016
$100 IP cameras are literally old news. And you do not need to buy from spam email vendors anymore to get $50 ones. [premium_content] You can...
Distributor Offers Local Job Site Delivery on Nov 30, 2016
Local distribution branches are a big differentiator for many integrators, as they facilitate quickly picking up supplies locally without having to...
Dump Axis and Hikvision, Arecont Will Pay You on Nov 30, 2016
Do you want to get rid of your Avigilon, Axis, Bosch, Hanwha Samsung, Hikvision, Pelco or Sony cameras? Now, Arecont will pay you to dump them for...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact