TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account

vendor:

TELSAT marKoni FM Transmitter

by:

Gjoko 'LiquidWorm' Krstic

6.1

CVSS

HIGH

Backdoor Account

912

CWE

Product Name: TELSAT marKoni FM Transmitter

Affected Version From: 39873

Affected Version To: 38596

Patch Exists: NO

Related CWE:

CPE: h:tel_sat:markoni_fm_transmitter:1.9.5

Metasploit:

Other Scripts:

Platforms Tested: GNU/Linux, icorem6solox, lighttpd/1.4.33

2023

TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account

The TELSAT marKoni FM Transmitter 1.9.5 firmware contains a hidden super administrative account named 'factory' with a hardcoded password 'inokram25', providing unauthorized access to the web management interface configuration. This backdoor account is not visible in the user interface and the password cannot be changed through regular operations. By exploiting this vulnerability located in the /js_files/LogIn_local.js script file, attackers can gain full control over the device, allowing them to perform actions like unit configuration, parameter modification, EEPROM overwrite, clearing DB, and factory log modification.

Mitigation:

To mitigate this vulnerability, users should update the firmware to a patched version that removes the hardcoded backdoor account credentials. Additionally, it is recommended to restrict network access to the device and regularly monitor for any unauthorized access.

Source

Exploit-DB raw data:

TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account


Vendor: TELSAT Srl
Product web page: https://www.markoni.it
Affected version: Markoni-D (Compact) FM Transmitters
                  Markoni-DH (Exciter+Amplifiers) FM Transmitters
                  Markoni-A (Analogue Modulator) FM Transmitters
                  Firmware: 1.9.5
                            1.9.3
                            1.5.9
                            1.4.6
                            1.3.9

Summary: Professional FM transmitters.

Desc: The transmitter has a hidden super administrative account 'factory'
that has the hardcoded password 'inokram25' that allows full access to
the web management interface configuration. The factory account is not
visible in the users page of the application and the password cannot be
changed through any normal operation of the device. The backdoor lies in
the /js_files/LogIn_local.js script file. Attackers could exploit this
vulnerability by logging in using the backdoor credentials for the web
panel gaining also additional functionalities including: unit configuration,
parameter modification, EEPROM overwrite, clearing DB, and factory log
modification.

Tested on: GNU/Linux 3.10.53 (armv7l)
           icorem6solox
           lighttpd/1.4.33


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2024-5809
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php
CWE ID: 912
CWE URL: https://cwe.mitre.org/data/definitions/912.html


10.11.2023

--


The credentials can be seen in the auto_login() JS function in the
unprotected /js_files/LogIn_local.js file:

$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"

function auto_login() {     // @mod1
    var username = "factory";
    var password = "inokram25";
$