TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account

`  
TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account  
  
  
Vendor: TELSAT Srl  
Product web page: https://www.markoni.it  
Affected version: Markoni-D (Compact) FM Transmitters  
Markoni-DH (Exciter+Amplifiers) FM Transmitters  
Markoni-A (Analogue Modulator) FM Transmitters  
Firmware: 1.9.5  
1.9.3  
1.5.9  
1.4.6  
1.3.9  
  
Summary: Professional FM transmitters.  
  
Desc: The transmitter has a hidden super administrative account 'factory'  
that has the hardcoded password 'inokram25' that allows full access to  
the web management interface configuration. The factory account is not  
visible in the users page of the application and the password cannot be  
changed through any normal operation of the device. The backdoor lies in  
the /js_files/LogIn_local.js script file. Attackers could exploit this  
vulnerability by logging in using the backdoor credentials for the web  
panel gaining also additional functionalities including: unit configuration,  
parameter modification, EEPROM overwrite, clearing DB, and factory log  
modification.  
  
Tested on: GNU/Linux 3.10.53 (armv7l)  
icorem6solox  
lighttpd/1.4.33  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience  
  
  
Advisory ID: ZSL-2024-5809  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php  
CWE ID: 912  
CWE URL: https://cwe.mitre.org/data/definitions/912.html  
  
  
10.11.2023  
  
--  
  
  
The credentials can be seen in the auto_login() JS function in the  
unprotected /js_files/LogIn_local.js file:  
  
$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"  
  
function auto_login() { // @mod1  
var username = "factory";  
var password = "inokram25";  
$   
`