Screen SFT DAB 600/C Authentication Bypass Password Change Exploit
Title: Screen SFT DAB 600/C Authentication Bypass Password Change Exploit
Advisory ID: ZSL-2023-5772
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass
Risk: (4/5)
Release Date: 13.05.2023
Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15
MontaVista® Linux® Carrier Grade eXpress (CGX)
[20.03.2023] Vendor contacted.
[12.05.2023] No response from the vendor.
[13.05.2023] Public security advisory released.
[2] https://www.exploit-db.com/exploits/51456
[3] https://packetstormsecurity.com/files/172327/
[12.10.2023] - Added reference [2] and [3]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2023-5772
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass
Risk: (4/5)
Release Date: 13.05.2023
Summary
Screen's new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands.Description
The application suffers from a weak session management that can allow an attacker on the same network to bypass these controls by reusing the same IP address assigned to the victim user (NAT) and exploit crucial operations on the device itself. By abusing the IP address property that is binded to the Session ID, one needs to await for such an established session and issue unauthorized requests to the vulnerable API to manage and/or manipulate the affected transmitter.Vendor
DB Elettronica Telecomunicazioni SpA - https://www.screen.it | https://www.dbbroadcast.comAffected Version
Firmware: 1.9.3Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15
Tested On
Keil-EWEB/2.1MontaVista® Linux® Carrier Grade eXpress (CGX)
Vendor Status
[19.03.2023] Vulnerability discovered.[20.03.2023] Vendor contacted.
[12.05.2023] No response from the vendor.
[13.05.2023] Public security advisory released.
PoC
screen_pwdchg.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php[2] https://www.exploit-db.com/exploits/51456
[3] https://packetstormsecurity.com/files/172327/
Changelog
[13.05.2023] - Initial release[12.10.2023] - Added reference [2] and [3]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk