Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit

Title: Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit
Advisory ID: ZSL-2024-5813
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS
Risk: (5/5)
Release Date: 04.04.2024
Summary
The TRA7000 series is a set of products dedicated to broadcast, designed to guarantee an excellent quality-price ratio in compliance with current regulations and intended for individual broadcasters or radio networks. All models in the TRA7000 series are fully digital, using only high-quality components such as 24-bit A/D and D/A converters and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper for both analogue and digital audio inputs, change-over emergency switching between any input with adjustable thresholds and intervention times, both in the switching phase on the secondary source and in the return phase to the primary source. Ethernet connection with Web-Server (optional) for total control and management of the device. Advanced BYPASS system between MPX input and outputs, active on operating and power supply anomalies and can also be activated remotely.
Description
The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication bypass through a direct and unauthorized access to the password management functionality. The vulnerability allows attackers to bypass Digest authentication by manipulating the password endpoint _Passwd.html and its payload data to set a user's password to arbitrary value or remove it entirely. This grants unauthorized access to protected areas (/user, /operator, /admin) of the application without requiring valid credentials, compromising the device's system security.
Vendor
Positron srl - https://www.positron.it
Affected Version
1.20
TRA7K5_REV107
TRA7K5_REV106
TRA7K5_REV104
TRA7K5_REV102
Tested On
Positron Web Server
Vendor Status
[22.03.2024] Vulnerability discovered.
[22.03.2024] Vendor contacted.
[03.04.2024] No response from the vendor.
[04.04.2024] Public security advisory released.
PoC
positron_auth.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/177939/
[2] https://www.exploit-db.com/exploits/51970
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-31830
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31830
[5] https://cxsecurity.com/issue/WLB-2024040068
[6] https://www.cisa.gov/news-events/ics-advisories/icsa-24-207-02
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-7007
[8] https://www.cve.org/CVERecord?id=CVE-2024-7007
Changelog
[04.04.2024] - Initial release
[10.04.2024] - Added reference [1], [2], [3] and [4]
[22.05.2024] - Added reference [5]
[04.08.2024] - Added reference [6], [7] and [8]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk