CVE-2015-8257
published 2017-05-02CVE-2015-8257: The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to…
PriorityP270high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
17.69%
96.8th percentile
The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to AXIS camera web interfaces targeting the four vulnerable SHTML endpoints (app_license.shtml, app_license_custom.shtml, app_index.shtml, app_params.shtml) with an 'app' parameter containing URL-encoded shell metacharacters such as %3B (semicolon) to detect command injection attempts. ↗
- →Detect process execution of devtools.sh invoked via '/bin/sh -c' on AXIS devices, particularly when the argument contains unexpected characters beyond a simple application name, indicating shell injection. ↗
- →Alert on HTTP GET requests to AXIS camera endpoints where the 'app' query parameter contains URL-encoded metacharacters (%3B, %20, %7C, %26, etc.) indicative of OS command injection via shell metacharacters. ↗
- →The vulnerable script passes user input unsanitized to shell functions including confvariable(), which uses eval — look for process trees where devtools.sh spawns unexpected child processes (e.g., cat, wget, nc) as root. ↗
- ·Exploitation requires prior authentication — the vulnerability is only reachable by remote authenticated users, reducing the attack surface to compromised or default credentials. ↗
- ·The firmware hashes provided are MD5 hashes of the full firmware images for affected products; they can be used to confirm whether a specific firmware binary contains the vulnerable devtools.sh script, but do not directly hash the script itself. ↗
- ·The vulnerability is triggered through BusyBox running with root privileges on all affected binaries and scripts, meaning successful exploitation yields root-level command execution. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/138083/AXIS-Authenticated-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/92159https://www.exploit-db.com/exploits/40171/http://packetstormsecurity.com/files/138083/AXIS-Authenticated-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/92159https://www.exploit-db.com/exploits/40171/
2017-05-02
Published