I wasn’t going to post about the recent vulns released about Axis 2100 IP cameras. They are neat vulns which illustrate dangers that XSS and CSRF can bring to devices with web interfaces or how even internal sites can become exploited grounds. I especially like that you can replace a video feed which you always see so effortlessly executed in movies. I really like the vuln where viewing the log files will execute javascript; which reminds me of a recent WS_FTP DoS that works in similar fashion. There are a couple videos out there showing off the exploit. Both links are in the paper (pdf).

No, I wasn’t going to post it because I figured it would get covered well enough anyway. But then I read the paper. And on one of the last pages of the paper is the real meat that made me think, “Aw yeah!” The authors describe how they were able to glean enough information from an Axis development wiki to probably compile their own tools. Whoa, this just went to another level! Axis may not support this particular device anymore, but if people can successfully compile and upload tools into this device, we could see a resurgence of popularity that may mimic (in smaller scale) the popularity of Linksys’ WRT54G wireless router.

I really think Axis could take advantage of this interest and help anyone looking to build tools. I mean that seriously…if they decide to open source it more…