TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
Title: TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
Advisory ID: ZSL-2024-5808
Type: Local/Remote
Impact: System Access, Elevation of Privilege, DoS, Security Bypass
Risk: (5/5)
Release Date: 30.01.2024
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
icorem6solox
lighttpd/1.4.33
[21.11.2023] Contact with the vendor.
[22.11.2023] No response from the vendor.
[19.01.2024] Contact with the vendor.
[29.01.2024] No response from the vendor.
[30.01.2024] Public security advisory released.
[2] https://packetstormsecurity.com/files/176933/
[3] https://www.exploit-db.com/exploits/51906
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/286366
[5] https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39373
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-39373
[01.02.2024] - Added reference [2]
[19.03.2024] - Added reference [3]
[28.03.2024] - Added reference [4]
[01.07.2024] - Added reference [5], [6] and [7]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2024-5808
Type: Local/Remote
Impact: System Access, Elevation of Privilege, DoS, Security Bypass
Risk: (5/5)
Release Date: 30.01.2024
Summary
Professional FM transmitters.Description
The marKoni FM transmitters are susceptible to unauthenticated remote code execution with root privileges. An attacker can exploit a command injection vulnerability by manipulating the Email settings' WAN IP info service, which utilizes the 'wget' module. This allows the attacker to gain unauthorized access to the system with administrative privileges by exploiting the 'url' parameter in the HTTP GET request to ekafcgi.fcgi.Vendor
TELSAT Srl - https://www.markoni.itAffected Version
Markoni-D (Compact) FM TransmittersMarkoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
Tested On
GNU/Linux 3.10.53 (armv7l)icorem6solox
lighttpd/1.4.33
Vendor Status
[10.11.2023] Vulnerability discovered.[21.11.2023] Contact with the vendor.
[22.11.2023] No response from the vendor.
[19.01.2024] Contact with the vendor.
[29.01.2024] No response from the vendor.
[30.01.2024] Public security advisory released.
PoC
yp.tiolpxeCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php[2] https://packetstormsecurity.com/files/176933/
[3] https://www.exploit-db.com/exploits/51906
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/286366
[5] https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39373
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-39373
Changelog
[30.01.2024] - Initial release[01.02.2024] - Added reference [2]
[19.03.2024] - Added reference [3]
[28.03.2024] - Added reference [4]
[01.07.2024] - Added reference [5], [6] and [7]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk