DB Elettronica SFT DAB 600/C Authentication Bypass Vulnerability Allowing Admin Password Change

An authentication bypass vulnerability has been identified in the DB Elettronica SFT DAB 600/C transmitter, specifically in firmware version 1.9.3. This vulnerability allows attackers to change the admin password without needing the current password. Exploitation involves sending a crafted POST request to the userManager.cgx API endpoint with a new password hashed using MD5, thereby directly modifying the admin account's password.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized access and privilege escalation by allowing an attacker to gain administrative rights on the device.

Reproduction

To reproduce this vulnerability, send a POST request to the userManager.cgx API endpoint with a JSON payload that includes the 'username' set to 'admin' and the 'password' set to the desired new password hashed with MD5. The request must include headers that specify the content type as 'application/x-www-form-urlencoded' and accept 'application/json'.