Title: Screen SFT DAB 600/C Authentication Bypass Erase Account Exploit
Advisory ID: ZSL-2023-5774
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass, DoS
Risk: (4/5)
Release Date: 13.05.2023

Summary

Screen's new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands.

Description

This exploit circumvents the control and requirement of admin's old password and directly changes the password.

Vendor

DB Elettronica Telecomunicazioni SpA - https://www.screen.it | https://www.dbbroadcast.com

Affected Version

Firmware: 1.9.3
Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15

Tested On

Keil-EWEB/2.1
MontaVista® Linux® Carrier Grade eXpress (CGX)

Vendor Status

[19.03.2023] Vulnerability discovered.
[20.03.2023] Vendor contacted.
[12.05.2023] No response from the vendor.
[13.05.2023] Public security advisory released.

PoC

screen_masterpwd.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php
[3] https://www.exploit-db.com/exploits/51458
[4] https://packetstormsecurity.com/files/172329
[5] https://cxsecurity.com/issue/WLB-2023050074

Changelog

[13.05.2023] - Initial release
[12.10.2023] - Added reference [3], [4] and [5]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk