Bugtraq mailing list archives

Re: Axis Network Camera known default password vulnerability

From: Torgeir Hansen <trenger () trenger ro>
Date: Fri, 07 Dec 2001 08:32:53 +0100

I'd be more worried about the old firmwares (2.0x (I tested 2.12 also
which isn't vulnerable) that contain amongst others:
/cgi-bin/paramtool and /cgi-bin/hwtestio, you don't need to authorize to
access them.
(seems to be a misconfiguration in the webserver)

paramtool can be used like this:
"http://<ip_to_webcam>/cgi-bin/paramtool?--blargh

which will show the entire config of the webcam, including:
root.InternalSecurity.Passwd { root { passwd [ "plAsx1.0CzA.wd" ] (...)
Which shouldn't be too hard to crack :)
This could also reveal dialup info, like phone-numbers, username and
passwords.
(if this camera is set up to be serving images through dialup
connection)

And then there is /cgi-bin/hwtestio, which I think was really bad -
as it tells the user how to use it, and remember: you do not have to log
in to the web-pages to
access this script either!
Basically it tells you:
--------------------------
 -ix Test IO x times
 -rx Relay switch repeated x times
--------------------------
i.e. you can do "http://<ip_to_webcam>/cgi-bin/hwtestio?-r242424", and
the camera basically crashes.

PS! This IS old info, firmware upgrades that fix these problems exist
and have for a while.
And Chris and/or the - good for you that you actually managed to read on
axis' webpages, good on ya!


--torgeir


Chris Gragsone wrote:


  Axis Network Camera known default password vulnerability
  by Chris Gragsone
  Foot Clan

  Date: November 17, 2001
  Advisory ID: Foot-20011117
  Impact of vulnerability: Default Password
  Exploitable: Remotely
  Maximum Risk: Moderate

  Affected Software:
  Axis Network Camera 2120
  Axis Network Camera 2110
  Axis Network Camera 2100
  Axis Network Camera 200+
  Axis Network Camera 200

  Vulnerability:
  Log into any Axis Network Camera via ftp, telnet, or http
  Default account: root
  Default password: pass

  References:
  http://www.axis.com/product/camera_servers/index.html
  http://www.axis.com/solutions/cam_vid/surveillance/index.html
  Contact:
  http://footclan.realwarp.net Chris Gragsone (maetrics () realwarp net)

  Disclaimer:
  The contents of this advisory are lame and should probably not be

read.

Current thread:

Axis Network Camera known default password vulnerability Chris Gragsone (Dec 05)
- <Possible follow-ups>
- Re: Axis Network Camera known default password vulnerability Torgeir Hansen (Dec 06)
- Re: Axis Network Camera known default password vulnerability Joacim Tullberg (Dec 06)