Re: Axis Network Camera known default password vulnerability

From: Torgeir Hansen (trengerat_private)
Date: Thu Dec 06 2001 - 23:32:53 PST

Next message: Tom Liston: "Flawed outbound packet filtering in various personal firewalls"

Previous message: bugzillaat_private: "[RHSA-2001:161-08] Updated OpenSSH packages available"
Maybe in reply to: Chris Gragsone: "Axis Network Camera known default password vulnerability"
Next in thread: Joacim Tullberg: "Re: Axis Network Camera known default password vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'd be more worried about the old firmwares (2.0x (I tested 2.12 also
which isn't vulnerable) that contain amongst others:
/cgi-bin/paramtool and /cgi-bin/hwtestio, you don't need to authorize to
access them.
(seems to be a misconfiguration in the webserver)

paramtool can be used like this:
"http://>/cgi-bin/paramtool?--blargh

which will show the entire config of the webcam, including:
root.InternalSecurity.Passwd { root { passwd [ "plAsx1.0CzA.wd" ] (...)
Which shouldn't be too hard to crack :)
This could also reveal dialup info, like phone-numbers, username and
passwords.
(if this camera is set up to be serving images through dialup
connection)

And then there is /cgi-bin/hwtestio, which I think was really bad -
as it tells the user how to use it, and remember: you do not have to log
in to the web-pages to
access this script either!
Basically it tells you:
--------------------------
 -ix Test IO x times
 -rx Relay switch repeated x times
--------------------------
i.e. you can do "http://>/cgi-bin/hwtestio?-r242424", and
the camera basically crashes.

PS! This IS old info, firmware upgrades that fix these problems exist
and have for a while.
And Chris and/or the - good for you that you actually managed to read on
axis' webpages, good on ya!

--torgeir

Chris Gragsone wrote:
>
>   Axis Network Camera known default password vulnerability
>   by Chris Gragsone
>   Foot Clan
>
>   Date: November 17, 2001
>   Advisory ID: Foot-20011117
>   Impact of vulnerability: Default Password
>   Exploitable: Remotely
>   Maximum Risk: Moderate
>
>   Affected Software:
>   Axis Network Camera 2120
>   Axis Network Camera 2110
>   Axis Network Camera 2100
>   Axis Network Camera 200+
>   Axis Network Camera 200
>
>   Vulnerability:
>   Log into any Axis Network Camera via ftp, telnet, or http
>   Default account: root
>   Default password: pass
>
>   References:
>   http://www.axis.com/product/camera_servers/index.html
>   http://www.axis.com/solutions/cam_vid/surveillance/index.html
>   Contact:
>   http://footclan.realwarp.net Chris Gragsone (maetricsat_private)
>
>   Disclaimer:
>   The contents of this advisory are lame and should probably not be
read.

Next message: Tom Liston: "Flawed outbound packet filtering in various personal firewalls"
Previous message: bugzillaat_private: "[RHSA-2001:161-08] Updated OpenSSH packages available"
Maybe in reply to: Chris Gragsone: "Axis Network Camera known default password vulnerability"
Next in thread: Joacim Tullberg: "Re: Axis Network Camera known default password vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 08:45:10 PST