Source
Zero Science Lab
The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
The transmitter is suffering from a Denial of Service (DoS) scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway.
The device allows an unauthenticated attacker to bypass authentication and modify the Cookie to reveal hidden pages that allows more critical operations to the transmitter.
The application suffers from a privilege escalation vulnerability. An attacker can escalate his privileges by poisoning the Cookie from GUEST to ADMIN to effectively become Administrator or poisoning to ZSL to become Super Administrator.
The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.
The transmitter is vulnerable to an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except 'NO' to the Login Cookie and have full system access.
The device is vulnerable to a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access.
The device is vulnerable to a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system access.
The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly.
An unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.