AXIS Cross Site Request Forgery / Cross Site Scripting

Type packetstorm
Reporter David Wearing
Modified 2017-03-16T00:00:00


Vulnerabilities were identified in the camera software by Axis. These were  
discovered during a black box assessment and therefore the vulnerability  
list should not be considered exhaustive; observations suggest that it is  
likely that further vulnerabilities exist.  
Affected Software And Versions  
Model P1204, software versions <= 5.50.4  
Model P3225, software versions <= 6.30.1  
Model P3367, software versions <=  
Model M3045, software versions <=  
Model M3005, software versions <=  
Model M3007, software versions <=  
No CVEs have been assigned to these vulnerabilities.  
Vulnerability Overview  
1. Axis01: No cross-site request forgery protections  
2. Axis02: Bypass manual checks for XSS  
3. Axis03: Web services run as root  
4. Axis04: Script editor function allows for arbitrary write as root on  
successful CSRF attack  
5. Axis05: root setuid .CGI scripts and binaries present  
6. Axis06: Inability to disable the http interface  
Vulnerability Details  
1. Axis01: No cross-site request forgery protections  
Axis software does not have any cross-site request forgery protection  
within the management interface. Axis provide guidance on risk mitigation  
for CSRF only.  
2. Axis02: Bypass manual checks for XSS  
Axis software on the camera has client-side JavaScript to try and remove  
XSS payloads. No server-side security checks are present. Viewers or lower  
privileged users of cameras exposed to the internet or corporate networks  
may be able to store persistent XSS payloads.  
Example of code in language_incl.js used to detect and remove malicious  
javaScript shown below:  
if( data.toLowerCase().indexOf(\"<script\") != -1 ||  
data.toLowerCase().indexOf(\"</script\") != -1 )  
3. Axis03: Web service runs as root  
The versions of Axis software tested have a BOA server (boa) running as  
root. BOA is an ancient web server and no longer maintained since approx.  
2005. Fuzzing of the process using off-the-shelf fuzzers result in crashes  
that have not yet been investigated further.  
Axis software versions >5.70 have replaced BOA with Apache.  
4. Axis04: Script editor function allows for arbitrary write as root on  
successful CSRF attack  
A script editor function a/admin-bin/editcgi.cgia can be used to write as  
root to the device, due to Axis01 lack of CSRF protection, this can be  
exploited to write over /etc/shadow and obtain root access to the device,  
as well as backdoor the device.  
Proof of concept to overwrite /etc/shadow file:  
<form action="https://<ip-of-axis-camera|hostname>/admin-bin/editcgi.cgi?file=/etc/shadow"  
method="POST" >  
<input type="hidden" name="save_file" value="/etc/shadow" />  
<input type="hidden" name="mode" value="0100600" />  
<input type="hidden" name="convert_crlf_to_lf" value="on" />  
<input type="hidden" name="content" value="#####INPUT HTML ENCODED SHADOW  
HERE##### " />  
<input type="submit" value="Submit request" />  
5. Axis05: root setuid .CGI scripts and binaries present  
Multiple root setuid .CGI scripts and binaries are present. The CGI scripts  
manage web session temp files,group memberships and functionality of the  
camera. Exploitable vulnerabilities in any will provide root access to the  
E.g /axis-cgi/admin/param.cgi & /axis-cgi/admin/pwdgrp.cgi which allows for  
changing user and group passwords.  
6. Axis06: Inability to disable the HTTP interface  
No option existed in Axis software to disable the HTTP interface. The web  
server will always listen on all network interfaces of the camera, which  
makes these cameras trivial to find on the internet e.g. using Shodan.  
E.g port 80 is listening and /httpDisabled.shtml is always accessible.  
Axis advise to move the web server listening port to another port.  
Axis released zero advisories related to the issues reported here.  
Axis recommends following their hardening guide available on:  
For the vulnerabilities related to Axis02, Axis03 and Axis06 Axis has  
recommended to upgrade Axis software to versions >5.70 or use the new Axis  
platform with >7.10 versions. Versions other than those listed here have  
not been tested to confirm these vulnerabilities have been fixed.  
The vulnerabilities were discovered by David Wearing from Google Security  
2016/11/24 - Security report sent to Axis with 90 day disclosure deadline  
2016/12/02 - Axis acknowledges report and starts working on the issues.  
2016/12/06 - Pinged for patch ETA.  
2016/12/09 - Pinged for patch ETA.  
2017/01/11 - Pinged for patch ETA.  
2017/01/12 - Response from Axis Security listing multiple issues as having  
been fixed in the new firmware versions. Redesign of CGI scripts to be  
interfaces confirmed.  
2017/01/25 - Send query regarding the lack of CSRF protections and if  
changes to handling of XSS was to occur.  
2017/02/28 - Request to Axis on any advice or mitigations they want to  
include in the post.  
2017/03/02 - Pinged Axis.  
2017/03/02 - Response from Axis including advice on mitigation of CSRF.  
2017/03/05 - Review of mitigations provided to Axis  
2017/03/10 - Discussions with Axis on post.  
2017/03/15 - Public disclosure.