Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4597
HistoryMay 28, 2003 - 12:00 a.m.

CORE-2003-0403: Axis Network Camera HTTP Authentication Bypass

2003-05-2800:00:00
vulners.com
22
JSON
                     Core Security Technologies Advisory
                         http://www.coresecurity.com

                Axis Network Camera HTTP Authentication Bypass

Date Published: 2003-05-27

Last Update: 2003-05-23

Advisory ID: CORE-2003-0403

Bugtraq ID: 7652

CVE Name: CAN-2003-0240

Title: Axis Network Camera HTTP Authentication Bypass

Class: Access Validation Error

Remotely Exploitable: Yes

Locally Exploitable: No

Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=329&idxseccion=10

Vendors contacted:

  • Axis Communications
    . Core Notification: 2003-04-10
    . Notification acknowledged by Axis: 2003-04-17
    . 2.34 Release candidate for the Axis 2400/2401 Video Servers
    available: 2003-04-17
    . Fixed versions available for all affected products: 2003-05-27

Release Mode: COORDINATED RELEASE

Vulnerability Description:

An Axis Network Camera captures and transmits live images directly
over an IP network (e.g. LAN/intranet/Internet), enabling users to
remotely view and/or manage the camera from a Web browser on any
computer. For more information see http://www.axis.com

After setting up the Axis Camera, the user is provided with
Web-based Administration Tools for configuring and managing the
camera by accessing http://camera-ip/admin/admin.shtml, which
requires a username and password.

We have discovered the following security vulnerability: by accessing
http://camera-ip//admin/admin.shtml
(notice the double slash) the authentication for "admin" is bypassed
and an attacker gains direct access to the configuration.

Using this vulnerability, an attacker can reset the root password,
then enable the telnet server by modifying configuration files,
giving the attacker interactive access to a Unix like command line,
allowing her to execute arbitrary commands as root.

Vulnerable Packages:

. AXIS 2100 Network Camera versions 2.32 and previous
. AXIS 2110 Network Camera versions 2.32 and previous
. AXIS 2120 Network Camera versions 2.32 and previous
. AXIS 2130 PTZ Network Camera versions 2.32 and previous
. AXIS 2400 Video Server versions 2.32 and previous
. AXIS 2401 Video Server versions 2.32 and previous
. AXIS 2420 Network Camera versions 2.32 and previous
. AXIS 2460 Network DVR versions 3.00 and previous
. AXIS 250S Video Server versions 3.02 and previous

Solution/Vendor Information/Workaround:

Axis Communications has released new firmwares closing this
vulnerability in its Network Camera and Video Server products.

New releases are available at:

AXIS 2100 Network Camera: 2.34
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2100/2_34/

AXIS 2110 Network Camera: 2.34
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2110/2_34/

AXIS 2120 Network Camera: 2.34
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2120/2_34/

AXIS 2130 Network Camera: 2.34
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2130/2_34/

AXIS 2400 Video Server: 2.34
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2400/2_34/

AXIS 2401 Video Server: 2.34
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2401/2_34/

AXIS 2420 Network Camera: 2.34
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2420/2_34/

AXIS 2460 Network DVR: 3.10
ftp://ftp.axis.com/pub_soft/cam_srv/cam_2460/3_10/

AXIS 250S Video Server: 3.03
ftp://ftp.axis.com/pub_soft/cam_srv/cam_250s/3_03/

Recommended Actions:
We strongly recommend that all devices are updated to these
firmware versions.

Credits:

This vulnerability was found by Juliano Rizzo from Core Security
Technologies.

We wish to thank Joacim Tullberg from Axis for his quick response to
this issue.

Technical Description - Exploit/Concept Code:

We have discovered the following security vulnerability: by accessing
http://camera-ip//admin/admin.shtml
(notice the double slash) the authentication for "admin" is bypassed
and an attacker gains direct access to the configuration.

In the same way, an attacker can access the other administration
tools for the camera, for example:
http://camera-ip//admin/img_general.shtml
http://camera-ip//admin/netw_tcp.shtml
http://camera-ip//admin/sys_date.shtml
http://camera-ip//admin/com_port.shtml
http://camera-ip//admin/op_general.shtml
http://camera-ip//admin/sys_motiond.shtml

Note that the workaround for a recently published Axis HTTP Server
vulnerability (see reference [1]) was to add authentication to
some particular paths. With this vulnerability the authentication
can be bypassed, so the mentioned Information Disclosure
vulnerability can still be exploited.

The affected Axis devices run a Linux like operating system. With
this vulnerability an attacker can reset the root password. Then
using the default open ftp server, the attacker can download
configuration files, modify these files and upload them again.
Modifying /etc/inittab it is possible to enable the Telnet server
(see [2] a technical note explaining how to enable Telnet support),
giving the attacker interactive access to a Unix like command line.
Axis provides free developer tools (see [3]), so it is feasible
for an attacker to build tools like port scanners or proxies to
start attacks from the compromised camera (which are usually
installed inside internal networks) which could lead to the
compromise of the internal network.

References:

[1] Axis Communications HTTP Server Messages Information Disclosure
Vulnerability (published 2003-02-28):
http://www.securityfocus.com/bid/6980/

[2] Technical Note: Enable Telnet Support in the Axis Camera Servers
http://www.axis.com/techsup/cam_servers/tech_notes/telnet_support.htm
As stated in this page: "You should enable this option for experimental
use only. Never leave the Telnet access enabled when having the
Network Camera installed on a public site."

[3] Axis' developer site (where a compiler and other development
tools can be downloaded):
http://developer.axis.com/

About Core Security Technologies

Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
assets.
Headquartered in Boston, MA, Core Security Technologies can be
reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive penetration
testing framework, visit:
http://www.coresecurity.com/products/coreimpact

DISCLAIMER:

The contents of this advisory are copyright (c) 2003 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.

$Id: Axis-advisory.txt,v 1.7 2003/05/23 20:17:29 carlos Exp $

Related

packetstorm 1
cve 1
coresecurity 1
cert 1
packetstorm
packetstorm
core.axis.txt
2003-05-28 00:00:00
cve
cve
CVE-2003-0240
2003-06-09 04:00:00
coresecurity
coresecurity
Axis Network Camera HTTP Authentication Bypass
2003-05-27 00:00:00
cert
cert
Various Axis products allow unauthorized remote privileged access
2003-06-05 00:00:00
JSON
Related for SECURITYVULNS:DOC:4597
packetstorm1cve1coresecurity1cert1