Key Information Vulnerability Title: Selex Targa IP OCR-ANPR Camera Unauthenticated Directory Traversal File Disclosure Advisory ID: ZSL-2021-5618 Type: Local/Remote Impact: Exposure of System Information, Exposure of Sensitive Information Risk: (4/5) Release Date: 21.01.2021 Summary The IP camera features Optical Character Recognition (OCR) software for Automatic Number Plate Recognition (ANPR), and is equipped with an ADPR system, enabling it to read Hazard Identification Numbers (HIN, also known as Kemler codes) and United Nations numbers for all vehicles. It captures images at high speed in free-flow mode. TARGA fully accesses and records a large number of vehicles traveling on roads, making it an essential tool for all road authorities. The built-in OCR software operates as an autonomous standalone system, requiring no computer assistance, and continues to function even when the connection between the camera and the control center is interrupted. Description The ANPR camera is vulnerable to an unauthenticated arbitrary file disclosure flaw. Input passed via the download archive page in the repository is improperly validated by the script, and is then used to download files. This vulnerability can be exploited via directory traversal attacks to disclose the contents of arbitrary sensitive files, enabling attackers to leak plaintext credentials and bypass authentication. Vendor Selex s.r.l. - Affected Versions Model: Targo 312, Targa 504, Targa Simplex, Targa 704 TKM, Targa 908, Targa 710 INOX, Targa 750, Targa 904 UBL Firmware: BLD201413005214, BLD201413005265, BLD20030430470901, BLD20030430470514, BLD1911181145436, BLD1911181145435, BLD190221180140, BLD190128180139, CPS: 4.013(201105), 3.002(201005), 3.006(201007), 3.006(191112) Tested On GNU/Linux 3.10.53 (armv7l) PHP 5.4.22 selex_httpd HttpServerV1.1 SelexCgiScriptServer/V1.1 Vendor Status 07.11.2020: Vulnerability discovered. 09.11.2020: Contacted vendor. 09.11.2020: Requested vendor explanation. 09.11.2020: Inquired about vendor security team and explained security submission and risk impact. 10.11.2020: Vendor responded with inquiry details. 11.12.2020: Provided detailed vulnerability report (PoC provided upon request). 14.11.2020: Requested vendor update on status. 18.11.2020: Vendor response: We have reviewed and fixed most of the vulnerabilities you described, which have been patched in the new version of note-taker and will be fixed in the next version of SelexHttpServer software. 10.11.2020: Responded to vendor. 12.11.2020: Requested vendor confirmation of fix. 06.12.2020: Requested vendor status update. 09.12.2020: Vendor in final testing phase for new release, expected release date: end of year. 09.12.2020: Requested vendor status update. 17.01.2021: Requested vendor status update. 20.01.2021: No response from vendor. 21.01.2021: Public security advisory released. PoC selexanpr_1.txt Acknowledgements Vulnerability discovered by Gjoko Krstic - References 1. 2. 3. 4. Change Log [21.01.2021] - Initial release [26.01.2021] - Added references [1], [2], [3], and [4] Contact Zero Science Lab Website: Email: lab@zeroscience.mk