TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account

TELSAT marKoni FM Transmitter 1.9.5 Backdoor AccountVendor: TELSAT SrlProduct web page: https://www.markoni.itAffected version: Markoni-D (Compact) FM Transmitters                  Markoni-DH (Exciter+Amplifiers) FM Transmitters                  Markoni-A (Analogue Modulator) FM Transmitters                  Firmware: 1.9.5                            1.9.3                            1.5.9                            1.4.6                            1.3.9Summary: Professional FM transmitters.Desc: The transmitter has a hidden super administrative account 'factory'that has the hardcoded password 'inokram25' that allows full access tothe web management interface configuration. The factory account is notvisible in the users page of the application and the password cannot bechanged through any normal operation of the device. The backdoor lies inthe /js_files/LogIn_local.js script file. Attackers could exploit thisvulnerability by logging in using the backdoor credentials for the webpanel gaining also additional functionalities including: unit configuration,parameter modification, EEPROM overwrite, clearing DB, and factory logmodification.Tested on: GNU/Linux 3.10.53 (armv7l)           icorem6solox           lighttpd/1.4.33Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2024-5809Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.phpCWE ID: 912CWE URL: https://cwe.mitre.org/data/definitions/912.html10.11.2023--The credentials can be seen in the auto_login() JS function in theunprotected /js_files/LogIn_local.js file:$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"function auto_login() {     // @mod1    var username = "factory";    var password = "inokram25";$