Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Unknown Published Date: 2024-02-02 
Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The transmitter is vulnerable to an authentication bypass
vulnerability affecting the Login Cookie. An attacker can set
an arbitrary value except 'NO' to the Login Cookie and have
full system access.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5791
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5791.php


30.06.2023

--


C:\>curl -s "http://192.168.150.77:8888/home.htm" -H "Cookie: Login=ADMIN"


Electrolink FM/DAB/TV Transmitter Authentication Bypass: A Critical Security Flaw Exploited via Login Cookie Manipulation

Electrolink s.r.l., a longstanding provider of advanced broadcast technology since 1990, manufactures high-performance FM, DAB, and TV transmitters used across community radio networks, government broadcasting systems, and commercial media infrastructure. Despite their robust design and professional-grade reliability, recent security research has uncovered a critical vulnerability in multiple Electrolink transmitter models: an authentication bypass via manipulated Login Cookie. This flaw enables attackers to gain full system access without proper credentials, posing a severe threat to broadcast integrity and operational security.

Overview of the Vulnerability

The vulnerability affects a broad range of Electrolink transmitters, including:

  • Compact DAB Transmitters (10W, 100W, 250W)
  • Medium and High Power DAB Transmitters (500W to 5kW)
  • Compact and Modular FM Transmitters (100W to 30kW)
  • BI, BIII VHF TV Transmitters
  • UHF TV Transmitters (10W to 5kW)

These devices are running firmware versions 2.1 and web control software based on Mbedthis-Appweb versions 12.5.0 and 12.0.0. The core issue lies in the authentication mechanism tied to a Login Cookie, which is supposed to verify user session legitimacy.

How the Authentication Bypass Works

Under normal operation, the Login Cookie is expected to contain a valid session token or user identifier, typically set to “NO” when the user is not logged in. However, due to a flawed validation logic, the system does not properly check the cookie's content or origin. Instead, it only evaluates whether the cookie is not equal to "NO".

This means that any arbitrary value—such as admin, 12345, guest, or even malicious_payload—will be accepted as a valid login, effectively bypassing authentication entirely.


// Example of flawed authentication logic (hypothetical pseudocode)
if (cookie_value != "NO") {
    grant_full_access();
} else {
    deny_access();
}

Explanation: This logic is fundamentally insecure. It fails to validate the cookie's authenticity, cryptographic integrity, or session context. As long as the cookie value is not "NO", the system assumes the user is authenticated. This creates a trivial exploit path for any attacker with access to the HTTP session or able to inject a custom cookie.

Exploitation Scenario: Real-World Use Case

Imagine a malicious actor targeting a public radio station using a 100W Compact DAB Transmitter running firmware 2.1. The attacker:

  • Scans the device’s web interface (typically accessible via HTTP on port 80 or 443).
  • Observes the Login Cookie in the browser's developer tools or network traffic.
  • Modifies the cookie value from NO to admin using browser tools or a simple HTTP request.
  • Reloads the page or sends a request with the altered cookie.
  • Immediately gains access to all system controls, including modulation settings, power levels, channel configurations, and remote monitoring.

Such access allows the attacker to:

  • Disable the transmitter during a live broadcast.
  • Change the broadcast frequency or modulation parameters.
  • Inject unauthorized content or interference signals.
  • Modify or exfiltrate sensitive configuration data.

Technical Details and Impact

Component Affected Version Authentication Mechanism Exploitability
Web Interface 01.09, 01.08, 01.07 Login Cookie (no validation) High (remote, no credentials required)
Control Unit 01.06, 01.04, 01.03 Cookie-based session High
Firmware 2.1 Appweb 12.5.0/12.0.0 High
Display 1.4, 1.2 Touch-screen UI Medium (requires access to web interface)

Due to the lack of session token validation, cryptographic signing, or time-based expiration, the system is vulnerable to session hijacking and cookie manipulation. The absence of CSRF protection or token regeneration further exacerbates the risk.

Expert Insights: Why This Is a Critical Flaw

As a cybersecurity expert, it's crucial to understand that broadcast infrastructure is a critical infrastructure. Unlike typical web applications, broadcast transmitters are responsible for delivering public content—often in real-time and under regulatory compliance. A compromised transmitter can:

  • Disrupt public safety communications (e.g., emergency broadcasts).
  • Enable media manipulation or propaganda dissemination.
  • Expose sensitive network configurations to adversaries.

Moreover, this vulnerability is not limited to local access. If the device is exposed to the internet (via port forwarding, public IP, or misconfigured firewall), attackers can exploit it remotely from anywhere in the world.

Recommended Mitigations

Electrolink must address this flaw immediately. The following remediation strategies are essential:

  • Implement secure session management: Use cryptographically signed tokens with expiration, and validate against a server-side session database.
  • Enforce cookie integrity: Reject cookies with arbitrary values unless they are properly authenticated.
  • Enable CSRF tokens: Require unique tokens for each session to prevent cookie injection.
  • Update firmware: Release a patched firmware version (e.g., 2.2) with hardened authentication logic.
  • Disable remote access: Restrict web interfaces to internal networks or require VPN/HTTPS with mutual authentication.

Conclusion

The Electrolink FM/DAB/TV Transmitter authentication bypass via Login Cookie manipulation is a stark reminder that even specialized industrial equipment is not immune to common web vulnerabilities. While the device’s technical capabilities are impressive, its security architecture falls short. This flaw, discovered by Gjoko 'LiquidWorm' Krstic from Zero Science Lab, underscores the need for rigorous security testing in all embedded systems, especially those handling public broadcast services.

Until a patch is issued, operators should:

  • Disable remote web access.
  • Use firewalls to restrict access to trusted IP ranges.
  • Monitor for unauthorized login attempts via logs or network traffic.

Security is not a luxury—it’s a necessity. In broadcasting, a single unpatched vulnerability can compromise the entire public information stream.