Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit

Title: Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit
Advisory ID: ZSL-2024-5813
Type: Local/Remote
Impact: Security Bypass, Privilege Escalation, System Access, DoS
Risk: (5/5)
Release Date: 04.04.2024
The TRA7000 series is a set of products dedicated to broadcast, designed to guarantee an excellent quality-price ratio in compliance with current regulations and intended for individual broadcasters or radio networks. All models in the TRA7000 series are fully digital, using only high-quality components such as 24-bit A/D and D/A converters and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper for both analogue and digital audio inputs, change-over emergency switching between any input with adjustable thresholds and intervention times, both in the switching phase on the secondary source and in the return phase to the primary source. Ethernet connection with Web-Server (optional) for total control and management of the device. Advanced BYPASS system between MPX input and outputs, active on operating and power supply anomalies and can also be activated remotely.
The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication bypass through a direct and unauthorized access to the password management functionality. The vulnerability allows attackers to bypass Digest authentication by manipulating the password endpoint _Passwd.html and its payload data to set a user's password to arbitrary value or remove it entirely. This grants unauthorized access to protected areas (/user, /operator, /admin) of the application without requiring valid credentials, compromising the device's system security.
Positron srl - https://www.positron.it
Affected Version
Tested On
Positron Web Server
Vendor Status
[22.03.2024] Vulnerability discovered.
[22.03.2024] Vendor contacted.
[03.04.2024] No response from the vendor.
[04.04.2024] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://packetstormsecurity.com/files/177939/
[2] https://www.exploit-db.com/exploits/51970
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-31830
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31830
[5] https://cxsecurity.com/issue/WLB-2024040068
[04.04.2024] - Initial release
[10.04.2024] - Added reference [1], [2], [3] and [4]
[22.05.2024] - Added reference [5]
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk