Tested the viewing of http://server/log/messages on Axis 2100 model, and it is vulnerable. Didn't try to check the overwrite vulnerability - I'd rather not, just in case. :) Barry Zubel Able Packaging Designs Ltd *************************************************************************** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software. Thank you for your cooperation. Please note that any opinions expressed in this e-mail are those of the author personally and are not necessarily those of the Company or any of its subsidiary companies, none of whom accept responsibility for the contents of the message. This footnote also confirms that this email message has been swept for the presence of computer viruses. *************************************************************************** -----Original Message----- From: Martin Eiszner [mailto:martin@websec.org] Sent: 28 February 2003 09:46 To: bugtraq@securityfocus.com Subject: axis2400 webcams 2002@WebSec.org/Martin Eiszner ================================== Security REPORT axis webcam 2400.? ================================== this document: http://www.websec.org/adv/axis2400.txt.html Product: Axis Webserver for 2400 ?? Vulnerablities: denial of service, information disclosure, non-confirmed script execution Vendor: Axis (http://www.axis.com) Vendor-Status: E-Mail to "security@axis.com" and "anne.rhenman@axis.com" date: 17.01.2003 Vendor-Patch: no response (28.02.2003) Local: NO Remote: YES ============ Introduction ============ webcam system including modified boa-webserver and web-based admin-interface ... ===================== Vulnerability Details ===================== 1) INFORMATION DISCLOSURE http-requests to: ---*--- http://server/support/messages ---*--- responds with /var/log/messages. it is not password protected and might disclose sensitive information. 2) DOS / OVERWRITING SYSTEM-FILES requesting: ---*--- http://server/axis-cgi/buffer/command.cgi? buffername=X& prealarm=1& postalarm=1& do=start& uri=/jpg/quad.jpg& format=[bad input] ---*--- allows an attacker to overwrite important files on the system (all fifos for example) leading to an effective DOS-attack. 3) ARBITRARY FILE CREATION a request like: ---*--- /axis-cgi/buffer/command.cgi?whatever params buffername=[relative path to directory] format=[relative path to arbitrary file name] ---*--- will create [relative path to arbitrary file name] or [relative path to a. directory] if somebody is able to change content of error messages he might be able to create and execute arbitrary script-files(php fE.). severity: LOW-MEDIUM ======= Remarks ======= --- ==================== Recommended Hotfixes ==================== software patch. EOF Martin Eiszner / @2002WebSec.org ======= Contact ======= WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna Austria / EUROPE mei@websec.org http://www.websec.org
