← Advisories

FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection

High
Advisory ID
ZSL-2017-5437
Release Date
25 September 2017
Vendor
FLIR Systems, Inc. - http://www.flir.com
Affected Version
Firmware version: 8.0.0.64, Software version: 10.0.2.43, Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2, FC-Series S (FC-334-NTSC), PT-Series (PT-334 200562)
CVE
CVE-2017-20215
Tested On
Linux 2.6.18_pro500-davinci_evm-arm_v5t_le, Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082, Nexus Server/2.5.29.0, Nexus Server/2.5.14.0, Nexus Server/2.5.13.0, lighttpd/1.4.28, PHP/5.4.7
Summary

Get the best image detail in challenging imaging environments with the FLIR FC-Series S thermal network camera. The award-winning FC-Series S camera sets the industry standard for high-quality thermal security cameras, ideal for perimeter protection applications. The FC-Series S is capable of replacing multiple visible cameras and any additional lighting and infrastructure needed to support them.

Description

FLIR FC-S/PT series suffer from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user.

Proof of Concept
flir_rce.txtTXT
Disclosure Timeline
23.03.2017Vulnerability discovered.
24.09.2017Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://blogs.securiteam.com/index.php/archives/3411
[2]https://www.exploit-db.com/exploits/42788/
[3]https://packetstormsecurity.com/files/144325
[4]https://cxsecurity.com/issue/WLB-2017090207
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/132777
[6]http://seclists.org/fulldisclosure/2017/Sep/60
[7]http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[8]https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[9]https://www.security.nl/posting/532900/
[10]https://ipvm.com/reports/flir-thermal-vuln
[11]https://ipvm.com/reports/security-exploits
[12]http://flir.com/security/blog/details/?ID=87043
[13]http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[14]http://www.securitylab.ru/news/488988.php
[15]https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[16]https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
[17]https://www.cve.org/CVERecord?id=CVE-2017-20215
Changelog
25.09.2017Initial release
10.10.2017Added reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12] and [13]
13.10.2017Added reference [14], [15] and [16]
24.03.2026Added reference [17]