ELCA Star Transmitter Remote Control Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the ELCA Star Transmitter Remote Control firmware version 1.25, affecting models STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly others. This vulnerability allows unauthenticated attackers to access admin credentials and system settings through an unprotected '/setup.xml' endpoint. The admin password is stored in plaintext under the '<p05>' XML tag, which could lead to a remote compromise of the transmitter system.

Impact

Exploitation of this vulnerability allows unauthorized access to admin credentials, which are exposed in plaintext. This could lead to a full compromise of the transmitter system, as an attacker could use the credentials to gain administrative access and control over the device.

Reproduction

To reproduce this vulnerability, send an unauthenticated GET request to the '/setup.xml' endpoint of the target transmitter. The response will include the admin password in plaintext within the '<p05>' field, along with other system settings. Once the password is obtained, it can be used to log in and gain full control of the transmitter system.

Remediation

To address this vulnerability, restrict access to the '/setup.xml' file, ensuring it is not available without authentication. Additionally, remove plaintext password storage by encrypting credentials before they are saved. Implement proper authorization controls to require admin authentication for accessing sensitive configuration files. Finally, enable logging and monitoring to track access to these files and alert for any unauthorized attempts.