axis2400 webcams

[Martin Eiszner <martin () websec org>]

2002 () WebSec org/Martin Eiszner

==================================
Security REPORT axis webcam 2400.?
==================================

this document: http://www.websec.org/adv/axis2400.txt.html

Product: Axis Webserver for 2400 ??
Vulnerablities: denial of service, information disclosure, non-confirmed script execution
Vendor: Axis (http://www.axis.com)
Vendor-Status: E-Mail to "security () axis com" and "anne.rhenman () axis com" date: 17.01.2003
Vendor-Patch: no response (28.02.2003)

Local: NO
Remote: YES

============
Introduction
============

webcam system including modified boa-webserver and web-based admin-interface ...


=====================
Vulnerability Details
=====================


1) INFORMATION DISCLOSURE

http-requests to:

---*---
http://server/support/messages
---*---

responds with /var/log/messages.
it is not password protected and might disclose sensitive information.


2) DOS / OVERWRITING SYSTEM-FILES
requesting:
---*---
http://server/axis-cgi/buffer/command.cgi?
buffername=X&
prealarm=1&
postalarm=1&
do=start&
uri=/jpg/quad.jpg&
format=[bad input]
---*---

allows an attacker to overwrite important files on the system (all fifos for example)
leading to an effective DOS-attack.


3) ARBITRARY FILE CREATION

a request like:
---*---
/axis-cgi/buffer/command.cgi?whatever params
buffername=[relative path to directory]
format=[relative path to arbitrary file name]
---*---

will create [relative path to arbitrary file name] or [relative path to a. directory]

if somebody is able to change content of error messages he might be able to create
and execute arbitrary script-files(php fE.).


severity: LOW-MEDIUM


=======
Remarks
=======

---

====================
Recommended Hotfixes
====================

software patch.


EOF Martin Eiszner / @2002WebSec.org
=======
Contact
=======

WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna

Austria / EUROPE

mei () websec org
http://www.websec.org