[23420] in bugtraq
Re: Axis Network Camera known default password vulnerability
daemon@ATHENA.MIT.EDU (Joacim Tullberg)
Thu Dec 6 23:01:02 2001
Date: 6 Dec 2001 13:53:53 -0000
Message-ID: <20011206135353.30911.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Joacim Tullberg <joacim@axis.com>
To: bugtraq@securityfocus.com
In-Reply-To: <3C0E5357.1080105@realwarp.net>
We have over the years tried many different methods
to encourage users to change the default root
password immediately after installation of an Axis
Network Camera or Video Server. The majority of
users obviously change their passwords but there
are of course those that do not.
Below I have listed some of the things we have tried
over the years:
- Force change of password prior to making the unit
fully operational.
Result: Significant number of support requests due to
forgotten passwords.
- Password protection enabled from start with default
password, the most basic method, currently used in
Axis 200+ & 200 Network Cameras.
Result: Support calls requesting the default
password. (Though clearly stated in the installation
guide)
- An option worth considering is to have a unique
default password for each device, printed on a
sticker. We have not tried this in real life but I believe
the result would be - Support requests for the default
password, a question we would not be able to
answer and worse, it would also mean that: a
forgotten password and a lost sticker would make the
unit useless.
We welcome all suggestions on how we may
improve the default password handling procedure
and increase the security of our Network Camera and
Video Server product. If you have any suggestions,
please tell us.
Best Regards,
Joacim Tullberg
Product Group Manager,
Network Cameras & Video Servers
Axis Communications
>Axis Network Camera known default password
vulnerability
>by Chris Gragsone
>Foot Clan
>
>Date: November 17, 2001
>Advisory ID: Foot-20011117
>Impact of vulnerability: Default Password
>Exploitable: Remotely
>Maximum Risk: Moderate
>
>Affected Software:
>Axis Network Camera 2120
>Axis Network Camera 2110
>Axis Network Camera 2100
>Axis Network Camera 200+
>Axis Network Camera 200
>
>Vulnerability Description:
>
>Axis Network Camera is an embedded system that
connects a camera
>directly to the network. With data rates up to 25
frames a second and
>motion detection. It could be used as a web cam, or
for security. This
>network camera could also be used as part of an IP-
Surveillance system,
>critical to a site's infrastructure.
>
>During installation of Axis Network Camera, the
administrator is not
>prompted for the password for the root account. If
the camera is left
>improperly configured, the attacker could connect to
the device remotely
>and obtain administrative access, and reconfigure
or interrupt the camera.
>
>Vulnerability:
>Log into any Axis Network Camera via ftp, telnet, or
http
>Default account: root
>Default password: pass
>
>References:
>http://www.axis.com/product/camera_servers/index.
html
>http://www.axis.com/solutions/cam_vid/surveillance/i
ndex.html
>Contact:
>http://footclan.realwarp.net Chris Gragsone
(maetrics@realwarp.net)
>
>Disclaimer:
>The contents of this advisory are copyright (c)2001
Foot Clan and may be
>distributed freely provided that no fee is charged for
this distribution
>and proper credit is given.
>
>
