TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution

Title: TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution
Advisory ID: ZSL-2023-5799
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 25.10.2023
Summary
This new line of Opera plus FM Transmitters combines very high efficiency, high reliability and low energy consumption in compact solutions. They have innovative functions and features that can eliminate the costs required by additional equipment: automatic exchange of audio sources, built-in stereo encoder, integrated RDS encoder, parallel I/O card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP Webserver.
Description
The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.
Vendor
Telecomunicazioni Elettro Milano (TEM) S.r.l. - https://www.tem-italy.it
Affected Version
Software version: 35.45
Webserver version: 1.7
Tested On
Webserver
Vendor Status
[18.08.2023] Vulnerabilikty discovered.
[22.08.2023] Vendor contacted.
[05.10.2023] No response from the vendor.
[06.10.2023] Vendor contacted.
[08.10.2023] No response from the vendor.
[09.10.2023] CERT Serbia contacted.
[09.10.2023] CERT Serbia responded asking more details. Created incident ID: 355655.
[09.10.2023] Replied to CERT Serbia.
[24.10.2023] Asked CERT Serbia for status update.
[25.10.2023] No response from CERT Serbia.
[25.10.2023] Public security advisory released.
PoC
tem_rce.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html
[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php
[3] https://cxsecurity.com/issue/WLB-2023100059
[4] https://packetstormsecurity.com/files/175372/TEM-Opera-Plus-FM-Family-Transmitter-35.45-Remote-Code-Execution.html
Changelog
[25.10.2023] - Initial release
[03.11.2023] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk