Researchers at VDOO, who disclosed the vulns on Monday, recommended that customers update immediately after finding that more than 400 Axis IP cameras are impacted. Axis deploys a number of cameras, including those for the hotel, industrial and banking industries.
The bugs have not yet been exploited in the field, the researchers said, but up to seven vulnerabilities exist – three of which can be exploited in a specific sequence to enable an attacker to remotely execute shell commands with root privileges.
“Chaining three of the reported vulnerabilities together allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera,” researchers said in a post.
Through a proof-of-concept (PoC) attack, researchers found that an authorization bypass vulnerability (CVE-2018-10661) exists within the functionality of the camera that sends requests for files ending with certain extensions (.srv) to the /bin/ssid process.
The flaw allows bad actors to send unauthenticated HTTP requests that reach the .srv functionality. This function handles .srv requests and does not require user credentials (normally, this functionality should only be accessible to admin users, researchers note).
From there, “Legitimate requests that reach /bin/ssid’s .srv functionality can choose one of several actions by setting the action parameter in the request’s query-string,” researchers said.
The attacker can essentially then utilize an interface that allows sending any dbus message to the device’s bus. The dbus process is important because the camera system’s daemons communicate by using the dbus Inter-Process Communication mechanism.
This vulnerability (CVE-2018-10662) exists because the authorization mechanism that is intended to limit such requests, PolicyKit, is configured to automatically grant access to requests originating from the root user.
“Due to the fact that /bin/ssid runs as root, these dbus messages are authorized to invoke most of the system’s dbus-services’ interfaces (that were otherwise subject to a strict authorization policy),” researchers said.
The attacker can send dbus messages to one such interface – PolicyKitParhand, which offers functions for setting parhand parameters. Parhand parameters are responsible for storing, fetching and updating parameters and their values.
The attacker at that point would have control over any of the device’s parhand parameter values, enabling them to leverage a shell command injection vulnerability (CVE-2018-10660).
In this final stage of the attack, the attacker would be able to send unauthenticated requests to set parhand parmeter values. By doing so, the attacker can now exploit this vulnerability by setting one parameter’s value with special characters which will cause command injection.
From there, the attacker can execute commands as the root user.
There are several ways an attacker could first launch an attack, Or Peles, researcher at VDOO, told Threatpost: “In most of cases in which an IP camera is vulnerable to remote code execution, there are a few attack scenarios that can be expected,” he said.
“For cameras that have direct interface with the internet… the attacker would need to find these addresses via internet scanners. Once found – he or she can execute the attack promptly,” said Peles via an emailed interview. “For cameras that are behind routing systems but do have an access in a specific port (via port forwarding), the attacker would need to find this designated port first. For cameras that are behind firewalls or don’t communicate with the internet (but only accessible via the internal network), the attacker would need to penetrate the network first; or the attacker could be an internal employee or some who has access to this specific network and would then need only to obtain the internal IP address of the cameras in question.”
Researchers found three more vulns that they did not detail as part of the attack; these include a bug that allows attackrs to crash the httpd process (CVE-2018-10664), an information leakage vuln in the /bin/ssid process (CVE-2018-10663); and two bugs that can cause the /bin/ssid process to crash (CVE-2018-10658 and CVE-2018-10659).
The security issues are only the latest to hit IoT devices; earlier in June, IP camera manufacturer Foscam urged customers to update their security cameras after researchers found three vulnerabilities in that could enable a bad actor to gain root access knowing only the camera’s IP address.
VDOO researchers noted an array of insecurities that are indicative of issues that many IoT manufacturers face: including lack of privilege separation, lack of proper input sanitization and lack of binary firmware encryption.
To upgrade to the latest firmware, researchers said that customers can use Axis Device Manager, the camera’s web interface or FTP.