FLIR Thermal Camera PT-Series Command Injection Vulnerability Allowing Remote Root Access

A vulnerability allowing unauthenticated remote command injection has been identified in the FLIR Thermal Camera PT-Series, specifically in the PT-334 model with firmware version 8.0.0.64. The issue arises in the 'controllerFlirSystem.php' script, where unsanitized POST parameters are passed to the 'execFlirSystem()' function. This flaw enables attackers to execute arbitrary system commands as the root user by exploiting the 'shell_exec()' PHP function. The vulnerability was discovered by security researcher Gjoko 'LiquidWorm' Krstic and was acknowledged by FLIR on October 9, 2017, with a patch released for affected users.

Impact

Exploitation of this vulnerability provides attackers with root access to the device, allowing them to execute commands with full administrative privileges.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the '/maintenance/controllerFlirSystem.php' endpoint. The request must include specific parameters that exploit the command injection flaw by being interpreted as shell commands. Once the injection is successful, a reverse shell can be obtained by executing a command that writes a PHP script to the server, which is then executed via a crafted HTTP request.

Remediation

FLIR has released a security patch for this vulnerability. Instructions for applying the patch can be found in the FLIR Release Notes for the F-Series, PT-Series, and D-Series.