GHDB « Hackers For Charity

GHDB

GHDB

Google Search: inurl:indexFrame.shtml Axis

effexca rates this entry 4 out of 10.
Submitted: 2004-06-06 00:00:00
Added by: effexca
Hits: 42903
Score: 4

The AXIS 2400 is a Web server of its own. This means that the server is secured like any other Internet host. It is up to the network manager to restrict access to the AXIS Web Cameras camera server. AXIS Network cams have a cam control page called indexFrame.shtml wich can easily be found by searching Google. An attacker can look for the ADMIN button and try the default passwords found in the documentation. An attacker may also find that the directories are browsable. Additional security related information was found on the Internet.Securityfocus(www.securityfocus.com):----------------------------------------------------"It has been reported that the Axis Video Servers do not properly handle input to the 'command.cgi' script. Because of this, an attacker may be able to create arbitrary files that would result in a denial of service, or potentially command execution." Core Security Technologies Advisory (http://www.coresecurity.com):---------------------------------------------------"We have discovered the following security vulnerability: by accessing http://camera-ip//admin/admin.shtml (notice the double slash) the authentication for "admin" is bypassed and an attacker gains direct access to the configuration.


Comments:

2004-07-10 11:12:53 (Anonymous):

2004-07-19 04:49:30 (murfie): Alternate Google search: intitle:"Live View / - AXIS"
Thx to J0hnny !


2004-07-19 06:06:11 (Winston):

2004-07-19 06:58:43 (murfie): I just found out that some of these cams still have the bug that allows watching the acces_log file (thus obtaining valid usernames).

http://www.securityfocus.com/archive/1/313485

Example:

Jul 18 18:10:04 AxisProduct -- MARK --
Jul 18 18:29:20 AxisProduct boa[30]: xxx.x.xx.xx - "GET /admin/admin.shtml HTTP/1.0" 401 0
Jul 18 18:29:27 AxisProduct boa[30]: xxx.x.xx.xx - "GET /admin/admin.shtml HTTP/1.0" 401 0

The admin user is called 'boa' here.. :)


2004-08-24 18:45:05 (Anonymous): http://lists.netsys.com/pipermail/full-disclosure/2004-August/025606.html

# AXIS 2400/2401 Video Server
axis-passwd.sh ........... Get /etc/passwd as 'anonymous viewer' v2.34/2.40


2004-09-02 03:53:12 (lucxedge): i was on one of them and i think the guy was getting pissed off
i was moving it around and he kept on moving it back
lol


2004-12-19 00:12:09 (mrc0de): i try the double slash trick to bypass admin and it doesnt work

2004-12-27 13:46:11 (murfie): hey mrc0de, the // bug doesn't work on every model and then again admins may have finally applied the patches.

2005-02-10 19:56:18 (infinity): I found out while the http://camera-ip//admin/admin.shtml doesnt work too often sometimes you can add a third / and it'll work... Such as http://camera-ip///admin/admin.shtml

2005-07-24 00:58:43 (dc0): I modded your entry a little bit, this shows all the cameras being monitored by that given server in a quad format... Very handy... but sadly dont get click happy theres a dot mil and a dot gov.... =\

inurl:indexFrame.shtml?newstyle=Quad Axis