FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection
Title: FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection
Advisory ID: ZSL-2017-5437
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.09.2017
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
PT-Series (PT-334 200562)
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
[2] https://www.exploit-db.com/exploits/42788/
[3] https://packetstormsecurity.com/files/144325
[4] https://cxsecurity.com/issue/WLB-2017090207
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132777
[6] http://seclists.org/fulldisclosure/2017/Sep/60
[7] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[8] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[9] https://www.security.nl/posting/532900/
[10] https://ipvm.com/reports/flir-thermal-vuln
[11] https://ipvm.com/reports/security-exploits
[12] http://flir.com/security/blog/details/?ID=87043
[13] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[14] http://www.securitylab.ru/news/488988.php
[15] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[16] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
[10.10.2017] - Added reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12] and [13]
[13.10.2017] - Added reference [14], [15] and [16]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5437
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.09.2017
Summary
Get the best image detail in challenging imaging environments with the FLIR FC-Series S thermal network camera. The award-winning FC-Series S camera sets the industry standard for high-quality thermal security cameras, ideal for perimeter protection applications. The FC-Series S is capable of replacing multiple visible cameras and any additional lighting and infrastructure needed to support them.Description
FLIR FC-S/PT series suffer from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user.Vendor
FLIR Systems, Inc. - http://www.flir.comAffected Version
Firmware version: 8.0.0.64Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
PT-Series (PT-334 200562)
Tested On
Linux 2.6.18_pro500-davinci_evm-arm_v5t_leLinux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vendor Status
[23.03.2017] Vulnerability discovered.[24.09.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
flir_rce.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://blogs.securiteam.com/index.php/archives/3411[2] https://www.exploit-db.com/exploits/42788/
[3] https://packetstormsecurity.com/files/144325
[4] https://cxsecurity.com/issue/WLB-2017090207
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/132777
[6] http://seclists.org/fulldisclosure/2017/Sep/60
[7] http://www.securityweek.com/flaws-expose-flir-thermal-cameras-remote-attacks
[8] https://securityintelligence.com/news/thermal-security-camera-flaws-could-let-cybercriminals-launch-remote-attacks/
[9] https://www.security.nl/posting/532900/
[10] https://ipvm.com/reports/flir-thermal-vuln
[11] https://ipvm.com/reports/security-exploits
[12] http://flir.com/security/blog/details/?ID=87043
[13] http://securityaffairs.co/wordpress/64077/hacking/flir-thermal-camera-exploit.html
[14] http://www.securitylab.ru/news/488988.php
[15] https://www.tad.bg/en/post/backdoor-accounts-found-in-flir-thermal-security-cameras
[16] https://www.bleepingcomputer.com/news/software/researcher-finds-unremovable-backdoor-accounts-in-flir-thermal-security-cameras/
Changelog
[25.09.2017] - Initial release[10.10.2017] - Added reference [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12] and [13]
[13.10.2017] - Added reference [14], [15] and [16]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk