DB Electronica Telecomunicazioni Mozart FM Transmitter Tar Extraction Path Traversal Vulnerability Allowing Arbitrary File Overwrite

A vulnerability exists in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue arises from the 'restore_mozzi_memories.sh' script, which extracts user-controlled tar archives to the root filesystem without proper path validation. This flaw can be exploited by uploading a malicious .tgz file through an unrestricted file upload vulnerability, overwriting critical system files and potentially leading to a full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrites, with the potential to replace critical system files, thereby compromising the entire system.

Reproduction

The vulnerability can be reproduced by first uploading a malicious .tgz file containing path-traversed filenames to the '/var/www/settings/' directory using the 'status_contents.php' endpoint, which has an unrestricted file upload vulnerability. After the malicious archive is uploaded, a request can be sent to 'restore_settings.php' with the name of the uploaded file. The 'restore_settings.php' script will then extract the contents of the archive to the root filesystem, overwriting any files specified in the archive with the ones included in the .tgz file.