Screen SFT DAB 600 Authentication Bypass via Weak Session Management (ZSL-2023-5775)

Critical Vulnerability Information Title: Screen SFT DAB 600/C Authentication Bypass Reset Board Config Exploit Advisory ID: ZSL-2023-5775 Type: Local/Remote Impact: Privilege Escalation, Security Bypass, DoS Risk: (3/5) Release Date: 13.05.2023 Summary: Screen’s new DAB transmitter represents the highest level of technology in both Digital Signal Processing and RF domains. The SFT DAB Series — Compact Radio DAB Transmitter — Air — benefits from digital adaptive pre-correction, configuration flexibility, Hot Swap System technology, compact design, and intelligent system architecture, making it an advanced transmitter. It supports DAB, DAB+, and T-DMB standards and is compatible with major headend brands. Description: The application is affected by weak session management, which allows an attacker on the same network to bypass authentication controls by reusing the same IP address assigned to the victim user (NAT). This enables exploitation of critical operations on the device. By exploiting the binding of the IP address to the Session ID, an attacker can wait for an active session and then send unauthorized requests to the vulnerable API to manage or manipulate the affected transmitter. Vendor: DB Elettronica Telecomunicazioni SpA - https://www.screen.it Affected Version: Firmware: 1.9.3 Bios firmware: 7.1 (Apr 19 2021) Gui: 2.46 FPGA: 169.55 uc: 6.15 Tested On: Keil-EWEB/2.1 MontaVista® Linux® Carrier Grade eXpress (CGX) Vendor Status: [19.03.2023] Vulnerability discovered. [20.03.2023] Vendor contacted. [12.05.2023] No response from vendor. [13.05.2023] Public security advisory released. PoC: screen_restart.py Credits: Vulnerability discovered by Gjoko Krstic - References: [1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php [2] https://www.exploit-db.com/exploits/51459 [3] https://packetstormsecurity.com/files/172331 [4] https://cxsecurity.com/issue/WLB-2023050063 Changelog: [13.05.2023] - Initial release [12.10.2023] - Added references [2], [3], and [4] Contact: Zero Science Lab Web: https://www.zeroscience.mk e-mail: lab@zeroscience.mk

Goal Reached Thanks to every supporter — we hit 100%!

Screen SFT DAB 600 Authentication Bypass via Weak Session Management (ZSL-2023-5775)