2002@WebSec.org/Martin Eiszner ================================== Security REPORT axis webcam 2400.? ================================== this document: http://www.websec.org/adv/axis2400.txt.html Product: Axis Webserver for 2400 ?? Vulnerablities: denial of service, information disclosure, non-confirmed script execution Vendor: Axis (http://www.axis.com) Vendor-Status: E-Mail to "security@axis.com" and "anne.rhenman@axis.com" date: 17.01.2003 Vendor-Patch: no response (28.02.2003) Local: NO Remote: YES ============ Introduction ============ webcam system including modified boa-webserver and web-based admin-interface ... ===================== Vulnerability Details ===================== 1) INFORMATION DISCLOSURE http-requests to: ---*--- http://server/support/messages ---*--- responds with /var/log/messages. it is not password protected and might disclose sensitive information. 2) DOS / OVERWRITING SYSTEM-FILES requesting: ---*--- http://server/axis-cgi/buffer/command.cgi? buffername=X& prealarm=1& postalarm=1& do=start& uri=/jpg/quad.jpg& format=[bad input] ---*--- allows an attacker to overwrite important files on the system (all fifos for example) leading to an effective DOS-attack. 3) ARBITRARY FILE CREATION a request like: ---*--- /axis-cgi/buffer/command.cgi?whatever params buffername=[relative path to directory] format=[relative path to arbitrary file name] ---*--- will create [relative path to arbitrary file name] or [relative path to a. directory] if somebody is able to change content of error messages he might be able to create and execute arbitrary script-files(php fE.). severity: LOW-MEDIUM ======= Remarks ======= --- ==================== Recommended Hotfixes ==================== software patch. EOF Martin Eiszner / @2002WebSec.org ======= Contact ======= WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna Austria / EUROPE mei@websec.org http://www.websec.org
