Axis Network Camera known default password vulnerability

[Chris Gragsone <maetrics () realwarp net>]

Axis Network Camera known default password vulnerability
by Chris Gragsone
Foot Clan

Date: November 17, 2001
Advisory ID: Foot-20011117
Impact of vulnerability: Default Password
Exploitable: Remotely
Maximum Risk: Moderate

Affected Software:
Axis Network Camera 2120
Axis Network Camera 2110
Axis Network Camera 2100
Axis Network Camera 200+
Axis Network Camera 200

Vulnerability Description:

Axis Network Camera is an embedded system that connects a camera 
directly to the network. With data rates up to 25 frames a second and 
motion detection. It could be used as a web cam, or for security. This 
network camera could also be used as part of an IP-Surveillance system, 
critical to a site's infrastructure.

During installation of Axis Network Camera, the administrator is not 
prompted for the password for the root account. If the camera is left 
improperly configured, the attacker could connect to the device remotely 
and obtain administrative access, and reconfigure or interrupt the camera.

Vulnerability:
Log into any Axis Network Camera via ftp, telnet, or http
Default account: root
Default password: pass

References:
http://www.axis.com/product/camera_servers/index.html 
http://www.axis.com/solutions/cam_vid/surveillance/index.html
Contact:
http://footclan.realwarp.net Chris Gragsone (maetrics () realwarp net)

Disclaimer:
The contents of this advisory are copyright (c)2001 Foot Clan and may be 
distributed freely provided that no fee is charged for this distribution 
and proper credit is given.