← Advisories

TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit

Critical
Advisory ID
ZSL-2024-5808
Release Date
30 January 2024
Vendor
TELSAT Srl - https://www.markoni.it
Affected Version
Markoni-D (Compact) FM Transmitters, Markoni-DH (Exciter+Amplifiers) FM Transmitters, Markoni-A (Analogue Modulator) FM Transmitters, Firmware: 1.9.5, 1.9.3, 1.5.9, 1.4.6, 1.3.9
CVE
CVE-2024-39373
Tested On
GNU/Linux 3.10.53 (armv7l), icorem6solox, lighttpd/1.4.33
Summary

Professional FM transmitters.

Description

The marKoni FM transmitters are susceptible to unauthenticated remote code execution with root privileges. An attacker can exploit a command injection vulnerability by manipulating the Email settings' WAN IP info service, which utilizes the 'wget' module. This allows the attacker to gain unauthorized access to the system with administrative privileges by exploiting the 'url' parameter in the HTTP GET request to ekafcgi.fcgi.

Proof of Concept
yp.tiolpxeTXT
Disclosure Timeline
10.11.2023Vulnerability discovered.
21.11.2023Contact with the vendor.
22.11.2023No response from the vendor.
19.01.2024Contact with the vendor.
29.01.2024No response from the vendor.
30.01.2024Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2024-5809
[2]https://packetstormsecurity.com/files/176933/
[3]https://www.exploit-db.com/exploits/51906
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/286366
[5]https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01
[6]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39373
[7]https://nvd.nist.gov/vuln/detail/CVE-2024-39373
Changelog
30.01.2024Initial release
01.02.2024Added reference [2]
19.03.2024Added reference [3]
28.03.2024Added reference [4]
01.07.2024Added reference [5], [6] and [7]