DB Electronica Mozart FM Transmitter Unauthenticated Arbitrary File Upload Vulnerability Allowing Malicious Firmware Injection

A vulnerability exists in DB Electronica Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue allows unauthenticated users to upload arbitrary files through the firmware upgrade endpoint in 'upgrade_contents.php'. The vulnerability arises from missing validation of file headers, cryptographic signatures, and enforcement of the .tgz format, enabling the injection of malicious firmware. This endpoint also facilitates further arbitrary file uploads and remote code execution.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, with the potential to inject malicious firmware that could be executed on the device, leading to unauthorized actions or access.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'upgrade_contents.php' file upload endpoint. The request must include a file that bypasses the client-side extension check, such as a .php file disguised as a .tgz file. Once uploaded, the file can be executed or manipulated through other vulnerable endpoints.