FLIR Systems FLIR Thermal Camera F/FC/PT/D Hard-Coded SSH Credentials

Title: FLIR Systems FLIR Thermal Camera F/FC/PT/D Hard-Coded SSH Credentials
Advisory ID: ZSL-2017-5436
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.09.2017
Summary
FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras bring thermal and visible-light imaging together in a system that gives you video and control over both IP and analog networks. The PT-Series' precision pan/tilt mechanism gives you accurate pointing control while providing fully programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions. PT-Series cameras define a new standard of performance with five models that provide full 640x480 thermal resolution.
Description
FLIR utilizes hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the camera.
Vendor
FLIR Systems, Inc. - http://www.flir.com
Affected Version
Firmware version: 8.0.0.64
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
FC-Series ID
FC-Series R
PT-Series (PT-334 200562)
D-Series
F-Series
Tested On
Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vendor Status
[23.03.2017] Vulnerability discovered.
[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
flir_creds.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://blogs.securiteam.com/index.php/archives/3411
[2] https://www.exploit-db.com/exploits/42787/
[3] https://packetstormsecurity.com/files/144324
[4] https://cxsecurity.com/issue/WLB-2017090205
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132776
[6] http://seclists.org/fulldisclosure/2017/Sep/60
[7] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[8] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[9] https://www.security.nl/posting/532900/
[10] https://ipvm.com/reports/flir-thermal-vuln
[11] https://ipvm.com/reports/security-exploits
[12] http://flir.com/security/blog/details/?ID=87043
[13] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[14] http://www.securitylab.ru/news/488988.php
[15] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[16] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
Changelog
[25.09.2017] - Initial release
[10.10.2017] - Added reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12] and [13]
[13.10.2017] - Added reference [14], [15] and [16]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk