Axis OrwellLabs Exploit Tested

Author: IPVM Team, Published on Jul 29, 2016

Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical security vulnerability.

However, we have tested this exploit and it is not of much practical risk. In this report, we explain how the exploit works, demonstrate it in a video screencast, comment on other security issues and contrast to the Bashis exploit we tested.

******* ******* *** **** ******** *** **** ******* (********** **** ************* ****** ******* *********), **** **** * ***** ********* ******** ******** *************.

*******, ** **** ****** **** ******* *** ** ** *** of **** ********* ****. ** **** ******, ** ******* *** *** exploit *****, *********** ** ** * ***** **********, ******* ** other ******** ****** *** ********** *** ****** ******* ** ******.

[***************]

Summary *******

*** **** ** ***** ** **** ** ******* **** *******, which ****** ******* *** ****** ** *** *******.

***** *** ******* **** ***** ********* ** ********* ********, ** attacker *** ***** *** **** ******** ****** ***** ** **** through ***, ***** ** **** ********* ** **** *****. 

******: ** * ********* *****, *** **** ******* ****** **** defaulted ** ****** ******* / ********** **** *********, **** ***** allow **** ****** **** ***** ** ********* *** ********* ** *** port **** *** *** ** ******* / ********.

*** ******* ****** **** *** **** / ****** *********** ******* of *** **** ****** *** *********.

*** *****

*************, ****** *** ********** ********* **** **** ****** ***, **** is *** ***** ** *** ****** **** ****** ********. ** should **, ** ** ********* ** *** ******** ** **** and ***** ******* **** *********** *** ********.

Exploit ************

*** ***** ***** ***** *** ******* ** ******:

 

Other ******** *****

***** ********* **** ******* * *** ***** ****** **** ******** issues *** ***** ******:

  • ****, ***** **** ******* *** *****, ** ******** ** ******** Axis *********** ******** ** ******** *****. ******** *** **** **** does *** ************* ******* ************ (***** **** ** ** ******) and **** **** ***** ****** ** ***** ******** **** ******** performance problems ** ********* *******.
  • **** **** *** ******* * ****** ****** ** *** *** interface, ***** ** * ****** ******** **** ** *** **** does *** **** **** *** ****** ******* *** ******* **** uses *** ********.
  • **** **** *** ******** ******** ***** ******** ***** ***** **** a ***** *****, ********** ***** ******.

Contrast ** ****** / ****** ****** *******

***** ** *** ****** ********* **** ** *** ********** *******, the****** ****** ****** ****** ********* * ***** ****. *** *** ********** ** **** *** Bashis *** **** *** ******* **************, *.*., ** **** ** you *** ******* ** *** ****** **** * *******, *** do *** **** ** **** **** ******** *** *** *** get **** ******. **** ** * ***** ********** *** * significant **** *** *** *****.

Comments (22)

***** ** ** *** ** ************ ** *** ****** *******, it ***** ** * **** ****** *** ****** **** **** fixed ** ******* *** ** *** *******.

***** ** **** ****** **** * **** ****** **** ****/******* passwords ** **** *** **** **** **** ** ******* *** get ****.

*****'* ** ****** ******* *** *** **** ** **** **** security ********** *** * ***** **'* **** **** ******** ** take ** **** ** *** *** ** *** ***** *************

** *** ******* **** *** *****/**** ********, *** ********* ** a ******* **** ******** *****/**** ********? ********* ***** ** ** is *********** ** "*** ********** ****" ** **** **** **********... try *** ******* ** *** ********** ****, ** **** ****** privileges, **** ***** ****** ****.. *********, ***** **** ****** ** ssh *******...

** ****** **, **** ****** **** "*******" ** *** ********** user **** *** **** *** ** ****, *** ** *****'* work. ** **** * ** ********** **** **** ***** *** recognise **** ** ** "*************" ** ***** ********.

*******, * ** ***** ** **** *** **** **'* * bug, *** ****** ** *****, *** *****... **** ***** ** exploited ** *** ****** ** ** **** ********** ******* **** Axis ****.

***** ***, **** ** ****** "*******" ** ********... ***** ** say, *** *** ** *** ****** **'* **** ***** ******* substance...

*** "*******" ***** ** ******** ** "* **** ****** ** neighbours *******, *** * ****** ** ***** *** *** **** before".

**'* *** ***** ********.

****'* * ******** **** *** ** ********* ***** ***** **** bug.

*** **** **** ** *** **** *** **** ** ****. It's **** **** **** ** *** *** **** *** *** enable ***.

*** **** ******* *** ************ *****'* **** *** ***use ssh remotely. Because the firewall probably isn't open for that port, and changing the port for ssh to 80 would kill the video.

** **** ******* *** ** ****?

All **** ******* **** **** *** ******* ****:**** ********* *** **** ** ****** *** ****** ******* ** *** ********.

*** **** ** ****?

****, ** ****** **** ***** ** ****** ****** ****, ** you **** ** *** ******** **********, ***** * *****:

**** ******* *** ** ********* *** **** * *** ***, as ** ****** *** ** *****.
******** ***** *** ***** ****, ** ** *** ** **** ***...

* *** ***** **** * **** **** ** *** ** practical ***, ** *** ** ***** * ***** ****-*** ***.

**'* ** ****** *******, *** ******** **** ****:**** ************* ** gives *** **** ****** *** ********.

**** ***** ** **** **************** *** ** ****'* ******* *******.

*** **** **** ***** **.

**** *** **** ** *** ***.

*** *** ** **** *** ****.

**** **** *** *** ***.

****'* *** *******?

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

********* *** *******, **'* ******** ********, *** ***'* **** ******** - *** **** ** ** ******** **** ** *** **.

** *** ***** ** "******* ****" *** **** ****** **********, then * ***** *** ********.

*** ***** * ***** **** ** ****** ** *** ****** of *** "*********" ****-************ **** ** ***** *** **** ****** of ******* ********.

** ***** ** ***, * ******** ******* ** ****** *** novel *********** ** ******* ******** ***-******** ******** ******* ******** ** a ******* ***** ** ****** * ******** *************. **** ******** in * **** ******* *** ** ***.

**** ** *** ** ** ********* ** *** *** ********** behaviors ** ****. ******* ** **** **** *** ****** ****, how *** **** ******** *** ******** ** *** ****** ** a *****?

******** **** "******* *** ** ** ****** ******* *****, ** is ***** ********** ****** ******* *********, *** * *** ** reason *** **** ** *** ** *******. ** ***, **** it * *******... :)

** ****** **** ***** ** *** *** ***, *** *** it *** ** ***** *********** ** *** *** **** *** the **** ***** ** ******** ** *** **** ****.

*** *****, *** *** ******* ** ** **** ** ** used.

***

****** **** **, **** ** *** **** **** "*******" *** if *** ******* **** *** *****/********?

******* *** **** *** ********* **** *** ******* * ****** shell ******** ********* ********.

***

*** **** **** ** ***** ** ****** *** ******** ** first *****.

*****. ***** ******** ** ***. ***** ******** ***** *** **choose a password, many for nostalgic reasons choose root:pass. Because it makes it easier for them. This was a brilliant move on Axis part as it allowed them to tout their security but allowed integrators who didn't like it to effectively not use it. After all what's the difference between login in with root:pass or typing pass:pass the first time.

***

***, ** ******* *** ** * *** ** ******** ******* doing ********, *** ***** ******** *** *** ** ****** "*******", please *** ****** *** *** *** **** *** ***** ****** with ****/****.

* **** ** ******** *********, **** *** ****** *****?

*******, * ***** **** **** ** *** * ***** **** just ******* *** ***** ******* * ******* ***** ** **** by ******* *** ***** *** ***** *** ***** ********.*** *** to ****** **** ******* ****, ****** ** *********. *** **** is * **** *** **** *** ********* ** ********* ** VAPIX, ***** ** **** *** ****** ******* ****.

**** **************** ** **** **** ** "********" ** ******.

** *

**'* * ***, ******* ****. *** ***, ** ****** ** fixed.

** ***** ********* *** **** ****** ** ****, *** ********* you ** **** ********* *** *** ******* ******* ** ****** in. **** ****** *******.

*** ******* ********* **** **** ** "*******" **** *** ******* need ** ** **** ** ******* (*.*. *** **** ***** and ******** *** ****) ** *******, ** ***** "***********". **** you *** ****, *** **** ********** ** **** *****, *** you *** ** ******** *** ***** **** **. ******* ***** you. *** **** ****** ******* **** *****. **'* ** ** your ***********.

**'* ******** ******** ** **** **** ** "****" ** **** "vulnerability", **'* ******* **** **** ******* "******" **** *******. ***, there ***** * ***, *** ******* *** ***, *** **** to ** ****. ***** *** *** - ****!

** *** *** ******* **** (***'* *** '****'), ***** ** 'n00b', *** **** '****' ********** **** **** ** ****** "*******", i ***** ***** **** *** ****** - *** ** **'* now, **.. * ** ***. **'* ** ******* *** ****.

**** ** **** **** ** *** * *********** ***** ******* cutting *** ***** **** **** ****** * ******** **** **** port ** ****.

*** **** ****.

**** **** *** ****? **** ***? ** **** **** ** in *** ***?

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** ** ** Linux ********* ** **** **** ***** *** ********, * **** show *** ** ******* **** *****.

*** *** ** *** ***** *******.

*** ***** *** **** ****** **** "********" ********* ** ********* along *** ***** **:

* ***'* ******* **** **** ******* ******* * **** ****** to **** ******* ** *** ****, ***** ** ******** **** to *** ** *** ***** *****, *** ********* ******* ***** be **** ** ******* *** **** ****** **** ***** *******, even ******* * ******* ****** ******* ********* ***.

***********, * ********* **** ******* **** ********** ******** ** ******* to ******** ** *****, ** ** ***** ** **** ** part ** ******* **** ******** ******* ** *** ****** ** not ********** *** *******.

***** *** ***** *******, *** ***** ******* ** ** *** in, *** ****** **** ** **** **** *** **....

**, ****** ** * ***** ******** *.**, ******* *********, *********** set ** ****:****. ** ******. **** ** ** *********.

*** **** ***** **** *** *'** ******* *** *******... :)

** **** *****, * *** ******* ****:

****://***.***.*.*/***********.*****?***=**********%****%*****.***.*.*%*******%**-*%**/***/**

**** ****** * ****** *****. ***** *** ** ***** ****, but * ***'* ***** *** *** ****** ** ******* **** knowledge ** **** ************.

** *** *** ******** ********** *********** **

*** ****, ***** ** **** ** ***** **** *** *** tamper ****, *** ******** /***/******* ** *** **** **/***/***/*******/******/*****-****.******.***** **** ****** ***** **** * ****** ****** ******* **** shell.

** ***** ** **** *****, ***** ** ** **** ** crontab, *** *** /*** ********** ** **** ****.

******** ***, ** **** ******* ****** ** ** *** *** as ****, ** ***** *** ** *-*** ********… (**** ****** code)

***** **** "**" ***’* **** *** "-*" ******, *** **** instead:

****://***.***.*.*/***********.*****?***=;******%**/***/*;**%**-*%***%*****.***.*.*%*******%***%**/***/*|/***/**%**/***/*%***%**/***/*;**%**/***/*

********** ***** ** ******** ** ****** **** ***** ***** ** code ** /***/****/*****.

# *** /***/****/*****/****.*****


**** ****:

****://***.***.*.*/*****/****.*****?**=***.***.*.*&****=*****

***** **** ** *****'* **** *** -* ******.

*** *** ** **, **'* ****' ****** ******* ** ****.

** *** **** *** ***** ******* ** ** (******* -*) out ***** * ***?

*** ***** ***** *** **** ** * ***** ******.

**, *** ****** *** ***** ** **** *** ** ******* a *******, ******* **** ******** * ****. **'* **** * little ***** *** *** **** *** **** * **** ****?

********, *'* *** ** **** ****** ***..

**, **** * **** ***!

*.*. **** *** **** ***-** * ******* **** ***** **** and * ** *********?

**** ** *** **** **** *** *** **** ******* *** from *** ****** *** **** ** ****** *** *** ****** remotely?

****, * **** *** *** *** ***** **** ******** *** have ** ******** *** ***** ******** ** ***** ********* *** explain *** **** ****** **** ***** ********!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Uniview Low-Cost Bullet PTZ Tested on Jun 21, 2017
Uniview is offering a HD zoom bullet camera, the IPC742SR9-PZ30-32G, with an integrated pan / tilt positioner, for the price of a low-cost...
QSR Video Surveillance Best Practices on Jun 21, 2017
Fast food restaurants or QSRs (quick service restaurants), are frequent victims of crime and fraud. Because they are open late, deal with cash, and...
45 Drives 'Lowest Cost' Enterprise Storage Company Profile on Jun 21, 2017
45 Drives claims the "lowest cost per Hard Drive Slot in the industry." But who or what is '45 Drives'? What started as a product design to...
No Hack, Still Liable, Court Finds ADT on Jun 20, 2017
Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit. One of the most important...
Resolver / PPM 2000 Incident Management Platform Profile on Jun 20, 2017
You might have seen the company whose employees wear hockey jerseys at trade shows and wondered "what do they do?" PPM 2000 has been active in...
Axis P3225 Mk II Tested Vs. Original on Jun 20, 2017
Axis has released a number of 'Mk II' versions of their cameras, which are the same fundamental camera but with specific improvements. We tested...
Directory of 40 IP Camera Manufacturer Discovery Tools on Jun 19, 2017
Locating the IP address of a DHCP client or factory defaulted device on a network is often a difficult task.  In another report, we discussed...
Dahua Demotes USA CEO on Jun 19, 2017
Dahua has demoted their USA CEO Tim Wang. Inside this note, we examine the move, Dahua's challenges and what lies ahead for the...
Avigilon Increases Prices In Canada, Europe and UK on Jun 19, 2017
While many video surveillance companies are racing to see who can cut prices the fastest, Avigilon is taking a contrary approach, actually raising...
VMS UI - Light vs Dark Preferences on Jun 16, 2017
Several VMS manufacturers have the ability to choose a user interface with either a light or dark color theme. 150+ integrators told us which they...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact