Axis Exploit Allows Changing Camera Root Password ConfirmedBy: John Honovich, Published on Aug 02, 2016
IPVM has confirmed that using the Axis remote format string vulnerability, an attacker can easily change the root password of the camera, taking control of the entire camera and blocking out the legitimate user. This was submitted to IPVM last week.
This is in addition to the already severe unauthorized remote root access that we tested and verified recently.
All that needs to be done is call a script with the replacement password and the password is changed. We believe this is a built-in utility that Axis uses internally and is available to root users such as those exploiting the remote format string vulnerability.
We are not disclosing the name of the script. Though the name is fairly obvious and we suspect many people with deep knowledge of Axis products are already well aware of it, we do not want to publicize that specific.
The original exploit provides root access but not the web root password. Without that, one cannot log into the camera's web interface nor easily see nor change video / device settings. But once the root password is set by the attacker (with this Axis provided script), they then can easily spy on the video feed, change how the camera is configured, etc.
This can be exploited remotely for publicly accessible cameras (including via port forwarding and UPnP) but it can also be done locally by rival integrators or manufacturer competitors that have access to a site.
Access Control Impacted Too
Also worth noting that this same procedure works on Axis A1001 access control panels, which is likely even a greater risk given the operational importance of access control vs video.
Axis Step Up And Better Notify The Industry
While Axis did some initial publicity of the vulnerability, they have done little since the working exploit was announced. They must know that this password script exists and can be easily called, making the vulnerability far more impactful.
Axis please go out and use your unrivaled marketing muscle to make it clear to every user out there the severity of this exploit and the need to upgrade every camera every where.