bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/51907.txt
Exploit-DB bbffa273d4 DB: 2024-03-19 
13 changes to exploits/shellcodes/ghdb

TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure
TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password
TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection

Atlassian Confluence < 8.5.3 - Remote Code Execution

Backdrop CMS 1.23.0 - Stored XSS

Gibbon LMS < v26.0.00 - Authenticated RCE

Quick.CMS 6.7 - SQL Injection Login Bypass

TYPO3 11.5.24 - Path Traversal (Authenticated)

WEBIGniter v28.7.23 - Stored XSS

WordPress File Upload Plugin < 4.23.3 - Stored XSS

xbtitFM 4.1.18 - Multiple Vulnerabilities

ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE
2024-03-19 00:16:26 +00:00

57 lines
No EOL
1.9 KiB
Text
Raw Permalink Blame History

TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account
Vendor: TELSAT Srl
Product web page: https://www.markoni.it
Affected version: Markoni-D (Compact) FM Transmitters
Markoni-DH (Exciter+Amplifiers) FM Transmitters
Markoni-A (Analogue Modulator) FM Transmitters
Firmware: 1.9.5
1.9.3
1.5.9
1.4.6
1.3.9
Summary: Professional FM transmitters.
Desc: The transmitter has a hidden super administrative account 'factory'
that has the hardcoded password 'inokram25' that allows full access to
the web management interface configuration. The factory account is not
visible in the users page of the application and the password cannot be
changed through any normal operation of the device. The backdoor lies in
the /js_files/LogIn_local.js script file. Attackers could exploit this
vulnerability by logging in using the backdoor credentials for the web
panel gaining also additional functionalities including: unit configuration,
parameter modification, EEPROM overwrite, clearing DB, and factory log
modification.
Tested on: GNU/Linux 3.10.53 (armv7l)
icorem6solox
lighttpd/1.4.33
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2024-5809
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php
CWE ID: 912
CWE URL: https://cwe.mitre.org/data/definitions/912.html
10.11.2023
--
The credentials can be seen in the auto_login() JS function in the
unprotected /js_files/LogIn_local.js file:
$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"
function auto_login() { // @mod1
var username = "factory";
var password = "inokram25";
$
Reference in a new issue View git blame Copy permalink