TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account
Title: TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account
Advisory ID: ZSL-2024-5809
Type: Local/Remote
Impact: System Access, Elevation of Privilege, DoS, Security Bypass, Exposure of Sensitive Information, Exposure of System Information
Risk: (5/5)
Release Date: 31.01.2024
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
icorem6solox
lighttpd/1.4.33
[21.11.2023] Contact with the vendor.
[22.11.2023] No response from the vendor.
[19.01.2024] Contact with the vendor.
[29.01.2024] No response from the vendor.
[31.01.2024] Public security advisory released.
[2] https://www.exploit-db.com/exploits/51907
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/286365
[4] https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39374
[6] https://nvd.nist.gov/vuln/detail/CVE-2024-39374
[01.02.2024] - Added reference [1]
[19.03.2024] - Added reference [2]
[28.03.2024] - Added reference [3]
[01.07.2024] - Added reference [4], [5] and [6]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2024-5809
Type: Local/Remote
Impact: System Access, Elevation of Privilege, DoS, Security Bypass, Exposure of Sensitive Information, Exposure of System Information
Risk: (5/5)
Release Date: 31.01.2024
Summary
Professional FM transmitters.Description
The transmitter has a hidden super administrative account 'factory' that has the hardcoded password 'inokram25' that allows full access to the web management interface configuration. The factory account is not visible in the users page of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /js_files/LogIn_local.js script file. Attackers could exploit this vulnerability by logging in using the backdoor credentials for the web panel gaining also additional functionalities including: unit configuration, parameter modification, EEPROM overwrite, clearing DB, and factory log modification.Vendor
TELSAT Srl - https://www.markoni.itAffected Version
Markoni-D (Compact) FM TransmittersMarkoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
Tested On
GNU/Linux 3.10.53 (armv7l)icorem6solox
lighttpd/1.4.33
Vendor Status
[10.11.2023] Vulnerability discovered.[21.11.2023] Contact with the vendor.
[22.11.2023] No response from the vendor.
[19.01.2024] Contact with the vendor.
[29.01.2024] No response from the vendor.
[31.01.2024] Public security advisory released.
PoC
markoni_backdoor.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/176934/[2] https://www.exploit-db.com/exploits/51907
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/286365
[4] https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39374
[6] https://nvd.nist.gov/vuln/detail/CVE-2024-39374
Changelog
[31.01.2024] - Initial release[01.02.2024] - Added reference [1]
[19.03.2024] - Added reference [2]
[28.03.2024] - Added reference [3]
[01.07.2024] - Added reference [4], [5] and [6]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk