FLIR Systems FLIR Thermal Camera F/FC/PT/D Multiple Information Disclosures

Title: FLIR Systems FLIR Thermal Camera F/FC/PT/D Multiple Information Disclosures
Advisory ID: ZSL-2017-5434
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, System Access
Risk: (5/5)
Release Date: 25.09.2017
Summary
FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras bring thermal and visible-light imaging together in a system that gives you video and control over both IP and analog networks. The PT-Series' precision pan/tilt mechanism gives you accurate pointing control while providing fully programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions. PT-Series cameras define a new standard of performance with five models that provide full 640x480 thermal resolution.
Description
Input passed thru several parameters is not properly verified before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files from local resources.

--------------------------------------------------------------------------------

/var/www/data/controllers/api/xml.php:
--------------------------------------

68: private function readFile($file)
69: {
70: if (!empty($file) && file_exists($file)) {
71: $xml = file_get_contents($file);
72: $this->setVar('result', $xml);
73: $this->loadView('webservices/default');
74: }
75: else {
76: $this->loadPageNotFound();
77: }
78: }

--------------------------------------------------------------------------------

Vendor
FLIR Systems, Inc. - http://www.flir.com
Affected Version
Firmware version: 8.0.0.64
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
FC-Series ID
FC-Series R
PT-Series (PT-334 200562)
D-Series
F-Series
Tested On
Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vendor Status
[23.03.2017] Vulnerability discovered.
[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
flir_info.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://blogs.securiteam.com/index.php/archives/3411
[2] https://www.exploit-db.com/exploits/42786/
[3] https://packetstormsecurity.com/files/144322
[4] https://cxsecurity.com/issue/WLB-2017090202
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132774
[6] http://seclists.org/fulldisclosure/2017/Sep/60
[7] http://www.vfocus.net/art/20170926/13877.html
[8] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[9] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[10] https://www.security.nl/posting/532900/
[11] https://ipvm.com/reports/flir-thermal-vuln
[12] https://ipvm.com/reports/security-exploits
[13] http://flir.com/security/blog/details/?ID=87043
[14] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[15] http://www.securitylab.ru/news/488988.php
[16] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[17] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
Changelog
[25.09.2017] - Initial release
[10.10.2017] - Added reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13] and [14]
[13.10.2017] - Added reference [15], [16] and [17]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk