Hacking more than 400 Axis camera models by chaining 3 flaws

Researchers from cybersecurity firm VDOO have discovered several vulnerabilities affecting nearly 400 security cameras from Axis Communications.

Researchers from cybersecurity firm VDOO have conducted a study on IoT devices and discovered seven vulnerabilities in cameras manufactured by Axis Communications. According to the vendor, nearly 400 models are affected by the issue and Axis has released security patches for each flaw.

An attacker can remotely take over a camera by knowing its IP address, exploiting the flaws it is possible to access and freeze the video stream, control every function of the camera (e.g. motion detection, direction) and also to alter the software.

Experts warn that an attacker can compromise cameras to recruit them in a botnet that could be used to power a broad range of attacks, such a DDoS and cryptocurrency mining.

“One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.” reads the analysis published by VDOO.

“Chaining three of the reported vulnerabilities together,allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera.”

The experts published Technical details for each issue and related proof-of-concept (PoC) code.

The researchers demonstrated that chaining three vulnerabilities it is possible to hack Axis cameras by sending specially crafted requests as root (CVE-2018-10662) and bypassing authentication (CVE-2018-10661), then injecting arbitrary shell commands (CVE-2018-10660).

Below the attack sequence demonstrated by the researchers:

  • Step 1: The attacker uses an authorization bypass vulnerability (CVE-2018-10661) to send unauthenticated HTTP requests that reach the .srv functionality (that handles .srv requests) inside /bin/ssid. Normally, this functionality should only be accessible to administrative users.
  • Step 2: The attacker then utilizes an interface that allows sending any dbus message to the device’s bus, without restriction (CVE-2018-10662), that is reachable from /bin/ssid’s .srv. Due to the fact that /bin/ssid runs as root, these dbusmessages are authorized to invoke most of the system’s dbus-services’ interfaces (that were otherwise subject to a strict authorization policy). The attacker chooses to send dbusmessages to one such dbus-service’s interface – PolicyKitParhand, which offers functions for setting parhand parameters. The attacker now has control over any of the device’s parhand parameter values. (See the next vulnerability).
  • Step 3: A shell command injection vulnerability (CVE-2018-10660) is then exploited. Some parhand parameters (of type “Shell-Mounted”) end up in configuration files in shell variable assignment format, which are later, included in a service’s init-script that runs as root. Due to step-2, the attacker is able to send unauthenticated requests to set parhand parmetervalues. By doing so, the attacker can now exploit this vulnerability by setting one parameter’s value with special characters which will cause command injection, in order to execute commands as the root user.

The remaining vulnerabilities discovered by VDOO can be exploited by unauthenticated attackers to obtain information from the memory o to trigger a DoS condition.

Axis published a security advisory that includes the complete list of all impacted cameras and the firmware version that address the vulnerabilities.

As part of the same study on the security of IoT devices, researchers at VDOO discovered several vulnerabilities in Foscam cameras.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase