Security
Headlines
HeadlinesLatestCVEs

Headline

TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution

The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server’s main interfaces and execute arbitrary code.

Zero Science Lab
#vulnerability#web#php#rce#auth

Title: TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution
Advisory ID: ZSL-2023-5799
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 25.10.2023

Summary

This new line of Opera plus FM Transmitters combines very high efficiency, high reliability and low energy consumption in compact solutions. They have innovative functions and features that can eliminate the costs required by additional equipment: automatic exchange of audio sources, built-in stereo encoder, integrated RDS encoder, parallel I/O card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP Webserver.

Description

The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server’s main interfaces and execute arbitrary code.

Vendor

Telecomunicazioni Elettro Milano (TEM) S.r.l. - https://www.tem-italy.it

Affected Version

Software version: 35.45
Webserver version: 1.7

Tested On

Webserver

Vendor Status

[18.08.2023] Vulnerabilikty discovered.
[22.08.2023] Vendor contacted.
[05.10.2023] No response from the vendor.
[06.10.2023] Vendor contacted.
[08.10.2023] No response from the vendor.
[09.10.2023] CERT Serbia contacted.
[09.10.2023] CERT Serbia responded asking more details. Created incident ID: 355655.
[09.10.2023] Replied to CERT Serbia.
[24.10.2023] Asked CERT Serbia for status update.
[25.10.2023] No response from CERT Serbia.
[25.10.2023] Public security advisory released.

PoC

tem_rce.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html
[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php

Changelog

[25.10.2023] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]

Zero Science Lab: Latest News

ABB Cylon Aspect 3.08.00 (log(Mix/Yum)Lookup.php) Off-by-One Error in Log Parsing