Abdul Mhanni

**Name of the Vulnerable Software and Affected Versions** IDC SFX2100 satellite receiver (affected versions not specified) **Description** The `/sbin/ip` utility is installed with the setuid bit set on the IDC SFX2100 satellite receiver. This configuration allows any local user who can execute the binary to gain elevated privileges. A local actor can leverage the GTFObins resource to perform privileged file reads as the root user on the local file system, potentially leading to further privileged actions. The API endpoint `/sbin/ip` is involved in this issue. The vulnerable parameter is not specified. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDC SFX2100 Satellite Receiver (affected versions not specified) **Description** The IDC SFX2100 Satellite Receiver firmware includes daemon configuration files (zebra, bgpd, ospfd, and ripd) owned by root but accessible to all users. These files contain hardcoded plaintext passwords, including credentials for privileged access ('enable'). An attacker could exploit these exposed credentials to gain access to other systems on the network, compromise the satellite receiver, or escalate privileges locally. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDC SFX2100 versions (affected versions not specified) **Description** The IDC SFX2100 Satellite Receiver has overly permissive file system permissions set on the `monitor` user's home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system. This may lead to local privilege escalation depending on system conditions, due to the presence of highly privileged processes and binaries within the affected directory. **Recommendations** Restrict file system permissions on the `monitor` user's home directory to a more secure configuration.

**Name of the Vulnerable Software and Affected Versions** IDC SFX2100 Satellite Receiver (affected versions not specified) **Description** A misconfiguration involving incorrect permission assignment of a world-writable file, specifically `/etc/udhcpc/default.script`, exists. This allows a local, unprivileged attacker to potentially execute arbitrary commands with root privileges. The issue stems from the modification of a root-owned, world-writable BusyBox udhcpc DHCP event script. This script is executed during DHCP lease events – obtaining, renewing, or losing a lease – leading to potential local privilege escalation and persistence. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDC SFX2100 Satellite Receiver (affected versions not specified) **Description** The device sets the `/etc/resolv.conf` file to be world-writable, allowing any local user to modify DNS configuration. This can lead to DNS resolver tampering, potentially redirecting network communications, enabling man-in-the-middle attacks, and causing denial of service. The `/etc/resolv.conf` file is used to configure the DNS resolver, which translates domain names into IP addresses. When this file is world-writable, unauthorized users can alter the DNS settings, redirecting network traffic to malicious servers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** International Data Casting (IDC) SFX2100 Satellite Receiver (affected versions not specified) **Description** Multiple SUID root-owned binaries are present in the following directories: /home/monitor/terminal, /home/monitor/kore-terminal, /home/monitor/IDE-DPack/terminal-dpack, and /home/monitor/IDE-DPack/terminal-dpack2. This configuration may allow for local privilege escalation from the `monitor` user to root. SUID binaries are executables that run with the privileges of the owner, in this case, root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** International Data Casting (IDC) SFX2100 (affected versions not specified) **Description** A SUID root-owned binary located in `/home/xd/terminal/XDTerminal` allows a local actor to potentially perform local privilege escalation depending on system conditions. Exploitation can occur through PATH hijacking, symlink abuse, or shared object hijacking. The vulnerability involves the execution of the affected SUID binary. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDC SFX2100 satellite receiver (affected versions not specified) **Description** The IDC SFX2100 satellite receiver includes the `/bin/date` utility installed with the setuid bit set. This configuration allows any local user who can execute the binary to gain elevated privileges. A local actor can leverage the GTFObins resource to perform privileged file reads as the root user on the local file system. This enables an attacker to read root-owned, read-only files, such as the `/etc/shadow` file or other configuration and secrets files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management portal version 101 **Description** A path traversal issue exists in the `/IDC Logging/checkifdone.cgi` script. An authenticated attacker can manipulate the `file` parameter to access arbitrary files on the system. This is due to insecure file path handling within the perl script. The vulnerability allows directory traversal, and the system confirms file existence through backup operation status. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 **Description** The application does not properly neutralize special elements within the `/IDC Logging/checkifdone.cgi` script, leading to a potential XML Injection issue. User input from the `file` parameter is reflected unsanitized into a CDATA block, potentially allowing an authenticated attacker to inject arbitrary XML elements and break out of tags. This could lead to reflected Cross-Site Scripting (XSS) and potentially other attacks like XML External Entity (XXE) injection. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the `/index.cgi` API endpoint. The application does not properly sanitize user-supplied input received through the `cat` parameter before including it in the HTTP response. This allows a remote attacker to execute arbitrary HTML or JavaScript code within a victim’s browser. **Recommendations** Apply input validation and output encoding to the `cat` parameter in the `/index.cgi` endpoint to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the `/IDC Logging/index.cgi` API endpoint. The issue occurs because a crafted payload sent through the `submitType` parameter is reflected into the Document Object Model (DOM) without proper sanitization. This could allow a remote attacker to execute arbitrary web scripts or HTML. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, avoid using the `submitType` parameter in the affected API endpoint `/IDC Logging/index.cgi` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 **Description** The web-based Ping diagnostic utility ('/IDC Ping/main.cgi') is susceptible to OS Command Injection. The application does not securely process the `IPaddr` parameter, allowing an authenticated attacker to bypass server-side checks and execute arbitrary shell commands with root privileges by using alternate shell metacharacters, such as the pipe `|` operator. **Recommendations** Apply updates to address the insecure parsing of the `IPaddr` parameter in the '/IDC Ping/main.cgi' utility.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 **Description** An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility. An authenticated attacker can inject arbitrary shell metacharacters, such as the pipe `|` operator, into the `flags` parameter. This can lead to the execution of arbitrary operating system commands with root privileges. The vulnerable component is the Traceroute diagnostic utility accessible through the Web Management Interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Nome do Software Vulnerável e Versões Afetadas International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver versões anteriores a 5.8 Descrição Existe uma vulnerabilidade de Execução Remota de Código (RCE) não autenticada no serviço SNMP. O sistema configura de forma insegura a string de comunidade SNMP `private` com acesso de leitura/escrita por padrão. Como o agente SNMP opera com privilégios de root, um atacante remoto não autenticado pode explorar as diretivas `NET-SNMP-EXTEND-MIB` para executar comandos arbitrários do sistema operacional com privilégios de root. Isso é possível porque o sistema está executando uma versão do net-snmp anterior a 5.8. Recomendações Atualize a biblioteca net-snmp para a versão 5.8 ou posterior. Altere a string de comunidade SNMP padrão de `private` para um valor forte e único. Restrinja o acesso ao serviço SNMP apenas a redes e hosts autorizados. Desative o `NET-SNMP-EXTEND-MIB` se não for necessário.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver (affected versions not specified) **Description** The IDC SFX Series SuperFlex SatelliteReceiver includes hardcoded credentials for the `monitor` account. A remote, unauthenticated attacker can leverage these credentials to gain access to the system through SSH. Initial access is to a restricted shell, but the attacker can easily escalate privileges to obtain a standard shell. The `monitor` account is used for system access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX2100 Satellite Receiver (affected versions not specified) **Description** The SFX2100 Satellite Receiver has a default, easily guessable password for the `user` (usr) account. An unauthenticated remote attacker can exploit this to gain unauthorized SSH access to the system. Initially, access is limited to a restricted shell, but an attacker can easily obtain a fully interactive shell by spawning a pseudo-terminal (pty). The `user` account allows access to the system. **Recommendations** Change the default password for the `user` (usr) account to a strong, unique password.

**Name of the Vulnerable Software and Affected Versions** International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver (affected versions not specified) **Description** The IDC SFX Series SuperFlex Satellite Receiver is affected by hardcoded, insecure credentials for the `xd` user account. A remote, unauthenticated attacker can use these credentials to log in via FTP. The `xd` user has write permissions to their home directory, which contains root-executed binaries and symlinks used by `xdstartstop`. This allows an attacker to overwrite files or manipulate symlinks to achieve arbitrary code execution as the root user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDC SFX Series SuperFlex(SFX2100) SatelliteReceiver (affected versions not specified) **Description** The IDC SFX Series SuperFlex(SFX2100) SatelliteReceiver contains hardcoded and insecure credentials for the `admin` account. A remote, unauthenticated attacker can exploit this to access the satellite system directly via the Telnet service, potentially compromising the system. The credentials allow direct access without authentication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDC SFX Series(SFX2100) SuperFlex Satellite Receiver (affected versions not specified) **Description** The `/root/anaconda-ks.cfg` installation configuration file insecurely stores a hardcoded root password hash. This password is highly susceptible to offline dictionary attacks, such as those using the `rockyou.txt` wordlist. An attacker requires initial low-privileged access to the system to exploit this issue and escalate to root privileges, as direct root SSH login is disabled. The API endpoint `/root/anaconda-ks.cfg` is involved in this issue. The vulnerable variable is the hardcoded root password hash within the configuration file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.