Hacking an Axis Network Camera
This is the first article in a series that primarily deals with topics or problems in the field of cyber security and especially with the vulnerabilities of IoT devices. I got the idea after watching a video of a well-known white hacker recommending people in the field to share their own research and experiences with the community. So, here I am, writing my first article with the hope that the following articles will get better, thanks to your support, of course. So comments and feedback are very welcome.
A total of seven vulnerabilities were discovered by the Israeli start-up VDOO during a research [1] focusing on the IP cameras of the Axis manufacturer and published in June 2018. However, four of them are not considered critical although they can be used to crash various system processes and thus make the camera useless. The other three vulnerabilities can be combined to gain control of the camera without needing the login credentials. These three are listed in the Mitre database with the following ID’s CVE-2018–10660, CVE-2018–10661, and CVE-2018–10662 [2]. I will describe their functionality in detail in the following paragraph, as they are used in this experiment. Once the camera is controlled, it can be used for many purposes, such as fetching the video stream, adding it to a botnet, or using it as a network intrusion point to perform a lateral movement attack.
As VDOO explains in its article [1], the Axis cameras use the classic apache httpd web server for their web interfaces, which has been extended with some modules developed by Axis itself. For example, the module mod_authz_axisgroupfile.so controls access to files from the root folder, while the module mod_trax.so forwards specific requests to various processes for further handling. One such process is the /bin/ssid process, which runs with root privileges and processes files with extensions such as .shtm, .shtml, or .srv. Requests to a world-readable file, followed by a backslash and ending with .srv, are treated as standard requests to index.html and thus access is granted. At the same time, they are also treated as legitimate requests to a .srv path and therefore processed by a .srv handler. Such a request could look like this: http://IP_CAMERA/index.html/technikum.srv. After receiving the request, apache httpd parses it and fills the following elements in the request_rec structure with variables according to the following scheme:
