Bugtraq mailing list archives
Re: Axis Network Camera known default password vulnerability
From: Joacim Tullberg <joacim () axis com>
Date: 6 Dec 2001 13:53:53 -0000
In-Reply-To: <3C0E5357.1080105 () realwarp net> We have over the years tried many different methods to encourage users to change the default root password immediately after installation of an Axis Network Camera or Video Server. The majority of users obviously change their passwords but there are of course those that do not. Below I have listed some of the things we have tried over the years: - Force change of password prior to making the unit fully operational. Result: Significant number of support requests due to forgotten passwords. - Password protection enabled from start with default password, the most basic method, currently used in Axis 200+ & 200 Network Cameras. Result: Support calls requesting the default password. (Though clearly stated in the installation guide) - An option worth considering is to have a unique default password for each device, printed on a sticker. We have not tried this in real life but I believe the result would be - Support requests for the default password, a question we would not be able to answer and worse, it would also mean that: a forgotten password and a lost sticker would make the unit useless. We welcome all suggestions on how we may improve the default password handling procedure and increase the security of our Network Camera and Video Server product. If you have any suggestions, please tell us. Best Regards, Joacim Tullberg Product Group Manager, Network Cameras & Video Servers Axis Communications
Axis Network Camera known default password
vulnerability
by Chris Gragsone Foot Clan Date: November 17, 2001 Advisory ID: Foot-20011117 Impact of vulnerability: Default Password Exploitable: Remotely Maximum Risk: Moderate Affected Software: Axis Network Camera 2120 Axis Network Camera 2110 Axis Network Camera 2100 Axis Network Camera 200+ Axis Network Camera 200 Vulnerability Description: Axis Network Camera is an embedded system that
connects a camera
directly to the network. With data rates up to 25
frames a second and
motion detection. It could be used as a web cam, or
for security. This
network camera could also be used as part of an IP-
Surveillance system,
critical to a site's infrastructure. During installation of Axis Network Camera, the
administrator is not
prompted for the password for the root account. If
the camera is left
improperly configured, the attacker could connect to
the device remotely
and obtain administrative access, and reconfigure
or interrupt the camera.
Vulnerability: Log into any Axis Network Camera via ftp, telnet, or
http
Default account: root Default password: pass References: http://www.axis.com/product/camera_servers/index.
html
http://www.axis.com/solutions/cam_vid/surveillance/i
ndex.html
Contact: http://footclan.realwarp.net Chris Gragsone
(maetrics () realwarp net)
Disclaimer: The contents of this advisory are copyright (c)2001
Foot Clan and may be
distributed freely provided that no fee is charged for
this distribution
and proper credit is given.
Current thread:
- Axis Network Camera known default password vulnerability Chris Gragsone (Dec 05)
- <Possible follow-ups>
- Re: Axis Network Camera known default password vulnerability Torgeir Hansen (Dec 06)
- Re: Axis Network Camera known default password vulnerability Joacim Tullberg (Dec 06)