Title: TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
Advisory ID: ZSL-2024-5808
Type: Local/Remote
Impact: System Access, Elevation of Privilege, DoS, Security Bypass
Risk: (5/5)
Release Date: 30.01.2024

Summary

Professional FM transmitters.

Description

The marKoni FM transmitters are susceptible to unauthenticated remote code execution with root privileges. An attacker can exploit a command injection vulnerability by manipulating the Email settings' WAN IP info service, which utilizes the 'wget' module. This allows the attacker to gain unauthorized access to the system with administrative privileges by exploiting the 'url' parameter in the HTTP GET request to ekafcgi.fcgi.

Vendor

TELSAT Srl - https://www.markoni.it

Affected Version

Markoni-D (Compact) FM Transmitters
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9

Tested On

GNU/Linux 3.10.53 (armv7l)
icorem6solox
lighttpd/1.4.33

Vendor Status

[10.11.2023] Vulnerability discovered.
[21.11.2023] Contact with the vendor.
[22.11.2023] No response from the vendor.
[19.01.2024] Contact with the vendor.
[29.01.2024] No response from the vendor.
[30.01.2024] Public security advisory released.

PoC

yp.tiolpxe

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php
[2] https://packetstormsecurity.com/files/176933/
[3] https://www.exploit-db.com/exploits/51906
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/286366

Changelog

[30.01.2024] - Initial release
[01.02.2024] - Added reference [2]
[19.03.2024] - Added reference [3]
[28.03.2024] - Added reference [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk