← Advisories

FLIR Systems FLIR Thermal Camera PT-Series (PT-334 200562) Remote Root Exploit

Critical
Advisory ID
ZSL-2017-5438
Release Date
25 September 2017
Vendor
FLIR Systems, Inc. - http://www.flir.com
Affected Version
Firmware version: 8.0.0.64, Software version: 10.0.2.43, Release: 1.3.4 GA, 1.3.3 GA and 1.3.2
CVE
CVE-2017-20216
Tested On
Linux 2.6.18_pro500-davinci_evm-arm_v5t_le, Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082, Nexus Server/2.5.29.0, Nexus Server/2.5.14.0, Nexus Server/2.5.13.0, lighttpd/1.4.28, PHP/5.4.7
Summary

FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras bring thermal and visible-light imaging together in a system that gives you video and control over both IP and analog networks. The PT-Series' precision pan/tilt mechanism gives you accurate pointing control while providing fully programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions. PT-Series cameras define a new standard of performance with five models that provide full 640x480 thermal resolution.

Description

FLIR Camera PT-Series suffers from multiple unauthenticated remote command injection vulnerabilities. The vulnerability exist due to several POST parameters in controllerFlirSystem.php script when calling the execFlirSystem() function not being sanitized when using the shell_exec() PHP function while updating the network settings on the affected device. This allows the attacker to execute arbitrary system commands as the root user and bypass access controls in place.

/maintenance/controllerFlirSystem.php: -------------------------------------- Line 82: Command Injection in 'shell_exec' via '$customDateTime' Line 91: Command Injection in 'shell_exec' via '$dhcpMode' Line 92: Command Injection in 'shell_exec' via '$_GET' Line 100: Command Injection in 'shell_exec' via '$dhcpMode' Line 101: Command Injection in 'shell_exec' via '$dns' Line 108: Command Injection in 'shell_exec' via '$dhcpMode' Line 112: Command Injection in 'shell_exec' via '$interface' Line 115: Command Injection in 'shell_exec' via '$interface' Line 118: Command Injection in 'shell_exec' via '$interface' Line 127: Command Injection in 'shell_exec' via '$_GET' Line 132: Command Injection in 'shell_exec' via '$tz' Line 136: Command Injection in 'shell_exec' via '$_GET' Line 141: Command Injection in 'shell_exec' via '$servers'
Proof of Concept
flir0.shTXT
Disclosure Timeline
23.03.2017Vulnerability discovered.
24.09.2017Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
09.10.2017Vendor released patches to address these issues.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://blogs.securiteam.com/index.php/archives/3411
[2]https://www.exploit-db.com/exploits/42785/
[3]https://packetstormsecurity.com/files/144321
[4]https://cxsecurity.com/issue/WLB-2017090203
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/132778
[6]http://www.vfocus.net/art/20170926/13876.html
[7]http://seclists.org/fulldisclosure/2017/Sep/60
[8]http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[9]https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[10]https://www.security.nl/posting/532900/
[11]https://ipvm.com/reports/flir-thermal-vuln
[12]https://ipvm.com/reports/security-exploits
[13]http://flir.com/security/blog/details/?ID=87043
[14]http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[15]http://flir.com/uploadedFiles/Security/Support/FNS_SetupInstructions_FC-Series-S-and-R-Security-Patch-v1.1.pdf
[16]http://flir.com/uploadedFiles/Security/Support/FLIR_Release_Notes_FC-Series-S-and-R-Security-Patch-v1.1.pdf
[17]http://flir.com/uploadedFiles/Security/Support/FLIR_Release_Notes_F-Series-PT-Series-and-D-Series-Security-Patch-v1.1.pdf
[18]http://flir.com/uploadedFiles/Security/Support/FNS_SetupInstructions_F-Series-PT-Series-and-D-Series-Security-Patch-v1.1.pdf
[19]http://www.securitylab.ru/news/488988.php
[20]https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[21]https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
[22]http://securityinfo.it/2017/10/13/backdoor-vulnerabilita-nelle-termocamere-sicurezza-flir/
[23]https://www.hackeye.net/securitytetchnology/appsec/9821.aspx
[24]https://www.cve.org/CVERecord?id=CVE-2017-20216
Changelog
25.09.2017Initial release
10.10.2017Added vendor status and reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13], [14, [15], [16], [17] and [18]
13.10.2017Added reference [19], [20] and [21]
14.10.2017Added reference [22] and [23]
24.03.2026Added reference [24]