Axis Webcam DOS

[28.02.03] Axis Webcam DOS

==================================

Security REPORT axis webcam 2400.?

==================================

Product: Axis Webserver for 2400 ??

Vulnerablities: denial of service, information disclosure, non-confirmed script execution

Vendor: Axis (http://www.axis.com)

Vendor-Status: security@axis.com/anne.rhenman@axis.com 20.01.2003

Vendor-Patch: no Response yet (pretty old product)

Local: NO

Remote: YES

============

Introduction

============

webcam system including modified boa-webserver and web-based admin-interface ...

 

=====================

Vulnerability Details

=====================

 

1) INFORMATION DISCLOSURE

http-requests to:

---*---

server/support/messages

---*---

responds with /var/log/messages.

it is not password protected and might disclose sensitive information.

 

2) DOS / OVERWRITING SYSTEM-FILES

requesting:

---*---

server/axis-cgi/buffer/command.cgi?

buffername=X&

prealarm=1&

postalarm=1&

do=start&

uri=/jpg/quad.jpg&

format=[bad input]

---*---

allows an attacker to overwrite important files on the system (all fifos for example)

leading to an effective DOS-attack.

 

3) ARBITRARY FILE CREATION

a request like:

---*---

/axis-cgi/buffer/command.cgi?whatever params

buffername=[relative path to directory]

format=[relative path to arbitrary file name]

---*---

will create [relative path to arbitrary file name] or [relative path to a. directory]

if somebody is able to change content of error messages he might be able to create

and execute arbitrary script-files(php fE.).

 

severity: LOW-MEDIUM

 

=======

Remarks

=======

---

====================

Recommended Hotfixes

====================

software patch.

 

EOF Martin Eiszner / @2002WebSec.org

 

=======

Contact

=======

SEC Consult Unternehmensberatung GmbH / Martin Eiszner

Blindengasse 3

1080 Vienna

Austria / EUROPE

m dot eiszner at sec-consult dot com

www.sec-consult.com