CVE-2018-9156 in P1354
Summary
by MITRE
** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/05/2024
The vulnerability identified as CVE-2018-9156 affects AXIS P1354 IP camera devices running firmware version 5.90.1.1, representing a critical security flaw in the device's web file upload functionality. This issue stems from inadequate input validation and file type verification mechanisms within the device's web interface, specifically on the fileUpload.shtml page. The vulnerability allows malicious actors to upload arbitrary files with the .shtml extension, which are subsequently processed by the Apache HTTP Server's mod_include module, creating a path for remote code execution through the inclusion of server-side includes directives.
The technical exploitation of this vulnerability relies on the Apache HTTP Server's mod_include module capabilities, particularly the "<!--#exec cmd=" directive support that enables command execution on the server. Attackers can craft malicious .shtml files containing specific command execution payloads that are interpreted when the uploaded file is accessed through the web server. The system architecture requires the uploaded files to contain specific strings that align with the internal processing mechanisms, indicating a level of sophistication in the exploitation approach. This vulnerability falls under CWE-434, which addresses insecure file upload vulnerabilities, and specifically relates to CWE-94, which covers inadequate input validation leading to code execution.
The operational impact of this vulnerability is severe, as it provides attackers with complete remote code execution capabilities on the affected device. Once a webshell is successfully uploaded, threat actors can execute arbitrary system commands such as listing directory contents, performing network connectivity tests, reading system files including sensitive configuration data, and potentially escalating privileges within the device's operating environment. The vulnerability's implications extend beyond simple unauthorized access, as it enables attackers to establish persistent access points, conduct reconnaissance activities, and potentially use the compromised device as a pivot point for attacking other systems within the network. This aligns with ATT&CK technique T1059, which covers command and scripting interpreter usage, and T1078, which addresses valid accounts usage for persistence and access.
The vendor's response indicating this as an intended feature or functionality raises significant concerns about the security posture of the device and suggests that the manufacturer may have implemented this capability without proper security controls or access restrictions. This designation conflicts with standard security practices and industry expectations for networked security devices, particularly those designed for surveillance and monitoring purposes where unauthorized access could compromise entire security infrastructures. Organizations should treat this vulnerability as a critical threat requiring immediate attention, regardless of the vendor's classification, as the potential for abuse far outweighs any intended legitimate use cases for such functionality.
Mitigation strategies for this vulnerability should include immediate network segmentation of affected devices, implementation of network access controls to restrict access to the device's web interface, and deployment of intrusion detection systems to monitor for suspicious file upload activities. Additionally, organizations should consider disabling unnecessary web server modules, implementing strict file type validation controls, and conducting comprehensive network security assessments to identify other potentially vulnerable devices. The recommended approach aligns with the principle of least privilege and follows industry best practices for securing networked devices, including regular firmware updates and comprehensive security monitoring protocols.