← Advisories

TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account

Critical
Advisory ID
ZSL-2024-5809
Release Date
31 January 2024
Vendor
TELSAT Srl - https://www.markoni.it
Affected Version
Markoni-D (Compact) FM Transmitters, Markoni-DH (Exciter+Amplifiers) FM Transmitters, Markoni-A (Analogue Modulator) FM Transmitters, Firmware: 1.9.5, 1.9.3, 1.5.9, 1.4.6, 1.3.9
CVE
CVE-2024-39374
Tested On
GNU/Linux 3.10.53 (armv7l), icorem6solox, lighttpd/1.4.33
Summary

Professional FM transmitters.

Description

The transmitter has a hidden super administrative account 'factory' that has the hardcoded password 'inokram25' that allows full access to the web management interface configuration. The factory account is not visible in the users page of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /js_files/LogIn_local.js script file. Attackers could exploit this vulnerability by logging in using the backdoor credentials for the web panel gaining also additional functionalities including: unit configuration, parameter modification, EEPROM overwrite, clearing DB, and factory log modification.

Proof of Concept
markoni_backdoor.txtTXT
Disclosure Timeline
10.11.2023Vulnerability discovered.
21.11.2023Contact with the vendor.
22.11.2023No response from the vendor.
19.01.2024Contact with the vendor.
29.01.2024No response from the vendor.
31.01.2024Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/176934/
[2]https://www.exploit-db.com/exploits/51907
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/286365
[4]https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01
[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39374
[6]https://nvd.nist.gov/vuln/detail/CVE-2024-39374
Changelog
31.01.2024Initial release
01.02.2024Added reference [1]
19.03.2024Added reference [2]
28.03.2024Added reference [3]
01.07.2024Added reference [4], [5] and [6]