CVE-2023-34673

Description

Exposure of SMTP credentials and other sensitive informations to an unauthorized actor by exploiting the publicly accessible Memcached service

Discoverer: Eslam Kamal (Strik3r)

Vendor of Product: Elenos

Affected Product: ETG150 FM transmitter - 3.12

Introduction

Memcache is a service that stores data temporarily in a key-value format. By caching large data sets, it enhances the website's overall performance.

Examples of situations in which memcache may be employed

• If the application is having some huge chunk of static data which needs to be displayed to the user as is like List of Countries for a Registration Form or Bank IFSC codes and so on …

• The application is having s search functionality, wherein it needs to cache the most searched items in a temporary location so as to fetch it as quickly as possible.

Details

Elenos ETG150 FM transmitter running on version 3.12 was discovered to be leaking SMTP credentials and other sensitive information by exploiting the publicly accessible Memcached service.

By accessing the SMTP server with the revealed credentials or having extensive knowledge of Sender's setups, an attacker might use this information to launch a larger attack.

First, we'll login with a privileged user and make changes to the "Email" configuration in the "Senders" endpoint which is used to send information and alarms about the transmitter to the SMTP server via email.

Then, we will access the Memcache service with Telnet linux command as shown below:

Once connected to the terminal Type "stats slabs"

The above image is the total slabs within the Memcache, Knowledge of the slabs won’t give us much information. What we need is the key:value pair which is actually having all the data. Use "stats cachedump <item: id> " to query the number of keys stored in the slab (item).

Now, let’s retrieve the data from Sender's email configuration using the key that we have got. To do that we simply need to fire the command "get events_email"

As we can see, we were able to obtain all SMTP server email setups and credentials. We can also gather all SMS and Traps information using the same technique.

If an attacker gets the SMTP server credentials, they could potentially use them to send malicious emails, such as phishing emails, or to send spam. They could also use the credentials to gain access to confidential emails sent through the server.