Security
Headlines
HeadlinesLatestCVEs

Headline

Sielco PolyEco Digital FM Transmitter 2.0.6 Cookie Brute Force

Sielco PolyEco Digital FM Transmitter version 2.0.6 suffers from a cookie brute forcing vulnerability that can allow for session hijacking.

Packet Storm
Open in Source
#vulnerability#web#mac#git#php#auth#ssl
Sielco PolyEco Digital FM Transmitter 2.0.6 'polyeco' Session HijackingVendor: Sielco S.r.lProduct web page: https://www.sielco.orgAffected version: PolyEco1000 CPU:2.0.6 FPGA:10.19                  PolyEco1000 CPU:1.9.4 FPGA:10.19                  PolyEco1000 CPU:1.9.3 FPGA:10.19                  PolyEco500 CPU:1.7.0 FPGA:10.16                  PolyEco300 CPU:2.0.2 FPGA:10.19                  PolyEco300 CPU:2.0.0 FPGA:10.19Summary: PolyEco is the innovative family of high-end digitalFM transmitters of Sielco. They are especially suited as highperformance power system exciters or compact low-mid powertransmitters. The same cabinet may in fact be fitted with 50,100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,1000).All features can be controlled via the large touch-screen display4.3" or remotely. Many advanced features are inside by defaultin the basic version such as: stereo and RDS encoder, audiochange-over, remote-control via LAN and SNMP, "FFT" spectralanalysis of the audio sources, SFN synchronization and much more.Desc: The Cookie 'polyeco' is of an insufficient length and can beexploited by brute force, which may allow a remote attacker to obtaina valid session, bypass authentication and manipulate the transmitter.The session is also visible in an HTTP GET request and there is thelack of SSL in use, allowing MitM attacks.Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5763Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5763.php26.01.2023--# Session values (len=5)Cookie: polyeco=23770Cookie: polyeco=12397Cookie: polyeco=54689...# GET request for login (user:1234)http://RADIOFM/login.cgi?user=user&password=c494fe7ab21e23e456a89d5a09828a10&id=14810The hash = password + id = 123414810, md5(123414810) = c494fe7ab21e23e456a89d5a09828a10Once authenticated, Cookie: polyeco=14810

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution
Packet Storm