RE: axis2400 webcams

["Barry Zubel" <barry () ablebox com>]

Tested the viewing of http://server/log/messages on Axis 2100 model, and it is
vulnerable.

Didn't try to check the overwrite vulnerability - I'd rather not, just in case.
:)

Barry Zubel
Able Packaging Designs Ltd

***************************************************************************
This email may contain confidential information and/or copyright material.
This email is intended for the use of the addressee only. Any unauthorised
use may be unlawful. If you receive this email by mistake, please advise
the sender immediately by using the reply facility in your email software.
Thank you for your cooperation.

Please note that any opinions expressed in this e-mail are those of the
author personally and are not necessarily those of the Company or any of
its subsidiary companies, none of whom accept responsibility for the
contents of the message. This footnote also confirms that this email
message has been swept for the presence of computer viruses.
***************************************************************************



-----Original Message-----
From: Martin Eiszner [mailto:martin () websec org] 
Sent: 28 February 2003 09:46
To: bugtraq () securityfocus com
Subject: axis2400 webcams




2002 () WebSec org/Martin Eiszner

==================================
Security REPORT axis webcam 2400.? ==================================

this document: http://www.websec.org/adv/axis2400.txt.html

Product: Axis Webserver for 2400 ??
Vulnerablities: denial of service, information disclosure, non-confirmed script
execution
Vendor: Axis (http://www.axis.com)
Vendor-Status: E-Mail to "security () axis com" and "anne.rhenman () axis com" date:
17.01.2003
Vendor-Patch: no response (28.02.2003)

Local: NO
Remote: YES

============
Introduction
============

webcam system including modified boa-webserver and web-based admin-interface ...


=====================
Vulnerability Details
=====================


1) INFORMATION DISCLOSURE

http-requests to:

---*---
http://server/support/messages
---*---

responds with /var/log/messages.
it is not password protected and might disclose sensitive information.


2) DOS / OVERWRITING SYSTEM-FILES
requesting:
---*---
http://server/axis-cgi/buffer/command.cgi?
buffername=X&
prealarm=1&
postalarm=1&
do=start&
uri=/jpg/quad.jpg&
format=[bad input]
---*---

allows an attacker to overwrite important files on the system (all fifos for
example) leading to an effective DOS-attack.


3) ARBITRARY FILE CREATION

a request like:
---*---
/axis-cgi/buffer/command.cgi?whatever params buffername=[relative path to
directory] format=[relative path to arbitrary file name]
---*---

will create [relative path to arbitrary file name] or [relative path to a.
directory]

if somebody is able to change content of error messages he might be able to
create and execute arbitrary script-files(php fE.).


severity: LOW-MEDIUM


=======
Remarks
=======

---

====================
Recommended Hotfixes
====================

software patch.


EOF Martin Eiszner / @2002WebSec.org
=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE

mei () websec org
http://www.websec.org