FLIR Systems FLIR Thermal Camera F/FC/PT/D Multiple Information Disclosures
Title: FLIR Systems FLIR Thermal Camera F/FC/PT/D Multiple Information Disclosures
Advisory ID: ZSL-2017-5434
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, System Access
Risk: (5/5)
Release Date: 25.09.2017
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
FC-Series ID
FC-Series R
PT-Series (PT-334 200562)
D-Series
F-Series
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
[2] https://www.exploit-db.com/exploits/42786/
[3] https://packetstormsecurity.com/files/144322
[4] https://cxsecurity.com/issue/WLB-2017090202
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132774
[6] http://seclists.org/fulldisclosure/2017/Sep/60
[7] http://www.vfocus.net/art/20170926/13877.html
[8] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[9] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[10] https://www.security.nl/posting/532900/
[11] https://ipvm.com/reports/flir-thermal-vuln
[12] https://ipvm.com/reports/security-exploits
[13] http://flir.com/security/blog/details/?ID=87043
[14] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[15] http://www.securitylab.ru/news/488988.php
[16] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[17] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
[10.10.2017] - Added reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13] and [14]
[13.10.2017] - Added reference [15], [16] and [17]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5434
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, System Access
Risk: (5/5)
Release Date: 25.09.2017
Summary
FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras bring thermal and visible-light imaging together in a system that gives you video and control over both IP and analog networks. The PT-Series' precision pan/tilt mechanism gives you accurate pointing control while providing fully programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions. PT-Series cameras define a new standard of performance with five models that provide full 640x480 thermal resolution.Description
Input passed thru several parameters is not properly verified before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files from local resources.--------------------------------------------------------------------------------
/var/www/data/controllers/api/xml.php:
--------------------------------------
68: private function readFile($file)
69: {
70: if (!empty($file) && file_exists($file)) {
71: $xml = file_get_contents($file);
72: $this->setVar('result', $xml);
73: $this->loadView('webservices/default');
74: }
75: else {
76: $this->loadPageNotFound();
77: }
78: }
--------------------------------------------------------------------------------
Vendor
FLIR Systems, Inc. - http://www.flir.comAffected Version
Firmware version: 8.0.0.64Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
FC-Series ID
FC-Series R
PT-Series (PT-334 200562)
D-Series
F-Series
Tested On
Linux 2.6.18_pro500-davinci_evm-arm_v5t_leLinux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vendor Status
[23.03.2017] Vulnerability discovered.[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
flir_info.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://blogs.securiteam.com/index.php/archives/3411[2] https://www.exploit-db.com/exploits/42786/
[3] https://packetstormsecurity.com/files/144322
[4] https://cxsecurity.com/issue/WLB-2017090202
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132774
[6] http://seclists.org/fulldisclosure/2017/Sep/60
[7] http://www.vfocus.net/art/20170926/13877.html
[8] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[9] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[10] https://www.security.nl/posting/532900/
[11] https://ipvm.com/reports/flir-thermal-vuln
[12] https://ipvm.com/reports/security-exploits
[13] http://flir.com/security/blog/details/?ID=87043
[14] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[15] http://www.securitylab.ru/news/488988.php
[16] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[17] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
Changelog
[25.09.2017] - Initial release[10.10.2017] - Added reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13] and [14]
[13.10.2017] - Added reference [15], [16] and [17]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk