Hacking more than 400 Axis camera models by chaining 3 flaws

Researchers from cybersecurity firm VDOO have discovered several vulnerabilities affecting nearly 400 security cameras from Axis Communications.

Researchers from cybersecurity firm VDOO have conducted a study on IoT devices and discovered seven vulnerabilities in cameras manufactured by Axis Communications. According to the vendor, nearly 400 models are affected by the issue and Axis has released security patches for each flaw.

An attacker can remotely take over a camera by knowing its IP address, exploiting the flaws it is possible to access and freeze the video stream, control every function of the camera (e.g. motion detection, direction) and also to alter the software.

Experts warn that an attacker can compromise cameras to recruit them in a botnet that could be used to power a broad range of attacks, such a DDoS and cryptocurrency mining.

“One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.” reads the analysis published by VDOO.

“Chaining three of the reported vulnerabilities together, allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.”

The experts published Technical details for each issue and related proof-of-concept (PoC) code.

The researchers demonstrated that chaining three vulnerabilities it is possible to hack Axis cameras by sending specially crafted requests as root (CVE-2018-10662) and bypassing authentication (CVE-2018-10661), then injecting arbitrary shell commands (CVE-2018-10660).

Below the attack sequence demonstrated by the researchers:

• Step 1: The attacker uses an authorization bypass vulnerability (CVE-2018-10661) to send unauthenticated HTTP requests that reach the .srv functionality (that handles .srv requests) inside /bin/ssid. Normally, this functionality should only be accessible to administrative users.
• Step 2: The attacker then utilizes an interface that allows sending any dbus message to the device’s bus, without restriction (CVE-2018-10662), that is reachable from /bin/ssid’s .srv. Due to the fact that /bin/ssid runs as root, these dbus messages are authorized to invoke most of the system’s dbus-services’ interfaces (that were otherwise subject to a strict authorization policy). The attacker chooses to send dbus messages to one such dbus-service’s interface – PolicyKitParhand, which offers functions for setting parhand parameters. The attacker now has control over any of the device’s parhand parameter values. (See the next vulnerability).
• Step 3: A shell command injection vulnerability (CVE-2018-10660) is then exploited. Some parhand parameters (of type “Shell-Mounted”) end up in configuration files in shell variable assignment format, which are later, included in a service’s init-script that runs as root. Due to step-2, the attacker is able to send unauthenticated requests to set parhand parmeter values. By doing so, the attacker can now exploit this vulnerability by setting one parameter’s value with special characters which will cause command injection, in order to execute commands as the root user.

The remaining vulnerabilities discovered by VDOO can be exploited by unauthenticated attackers to obtain information from the memory o to trigger a DoS condition.

Axis published a security advisory that includes the complete list of all impacted cameras and the firmware version that address the vulnerabilities.

As part of the same study on the security of IoT devices, researchers at VDOO discovered several vulnerabilities in Foscam cameras.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Amazon Fire TV, ADB.miner)

[adrotate banner=”5″]

[adrotate banner=”13″]