The Security Researchers of VDOO found Zero Day Vulnerability in IoT Products.
VDOO is a mission-driven company established to change the face of IoT security, and aims to become the Security Authority (SA) for connected-devices.
Company found vulnerable devices in Axis Security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to Axis security team.
VDOO has published the significant vulnerability in its post,
Impact of Vulnerability?
The following vulnerabilities are showing that it provides remote access to the camera and execute the shell commands with root privileges remotely.
- Access to camera’s video stream
- Freeze the camera’s video stream
- Control the camera – move the lens to a desired point, turn motion detection on/off
- Add the camera to a botnet
- Alter the camera’s software
- Use the camera as an infiltration point for network (performing lateral movement)
- Render the camera useless
- Use the camera to perform other nefarious tasks (DDoS attacks, Bitcoin mining, others)
How This Breach has performed by an Attacker?
Step 1: The attacker uses an authorization bypass vulnerability (CVE-2018-10661). This vulnerability allows the attacker the ability to send unauthenticated HTTP requests that reach the .srv functionality (that handles .srv requests) inside /bin/ssid. Normally, this functionality should only be accessible to administrative users.
Step 2: The attacker then utilizes an interface that allows sending any dbus message to the device’s bus, without restriction (CVE-2018-10662), that is reachable from /bin/ssid’s .srv. Due to the fact that /bin/ssid runs as root, these dbus messages are authorized to invoke most of the system’s dbus-services’ interfaces (that were otherwise subject to a strict authorization policy). The attacker chooses to send dbus messages to one such dbus-service’s interface – PolicyKitParhand, which offers functions for setting parhand parameters. The attacker now has control over any of the device’s parhand parameter values. (See the next vulnerability).
Step 3: A shell command injection vulnerability (CVE-2018-10660) is then exploited. Some parhand parameters (of type “Shell-Mounted”) end up in configuration files in shell variable assignment format, which are later, included in a service’s init-script that runs as root. Due to step-2, the attacker is able to send unauthenticated requests to set parhand parmeter values. By doing so, the attacker can now exploit this vulnerability by setting one parameter’s value with special characters which will cause command injection, in order to execute commands as the root user.
Axis said in the statement,
“Axis strongly recommends end users to update firmware for affected Axis products in a controlled manner. To cost efficiently deploy the upgraded firmware, Axis recommends using the tool Axis Device Manager, which will continuously monitor and notify of available firmware,”
How To Check my Firmware Version?
- Using a web browser, access your camera.
- Enter your username and password
- Click “System” –> “Options” –> “Support” –> “System Overview”.
- Look for the firmware version
You need to Upgrade your Firmware.
