Security
Headlines
HeadlinesLatestCVEs

Headline

Internet Radio auna IR-160 SE UIProto DoS / XSS / Missing Authentication

Internet Radio auna IR-160 SE using the UIProto firmware suffers from missing authentication, cross site scripting, and denial of service vulnerabilities.

Packet Storm
#xss#vulnerability#web#ios#google#dos#git#auth#telnet
The internet radio device auna IR-160 SE has multiple vulnerabilities. It uses the firmware UIProto, different versions of which can also be found in many other radios.1. The firmware offers a rudimentary web API that can be reached on the local network on port 80. This API is completely unauthenticated, allowing anyone to control the radio over the local network. (already known as CVE-2019-13474, but relevant for the other two findings) [1] [2] [3]2. The web UI does not encode user input, resulting in a XSS vulnerability, e.g. when changing the device name as follows:http://192.168.178.93/set_dname?name=><script>alert(1)</script>3. The firmware crashes when sending a device name longer than 84 characters. Some parts of the firmware will recover afterwards and music will play again after a few seconds, but the service on port 80 remains borked until the radio is reset using the switch on the back. This may or may not be a memory corruption vulnerability. I don't feel like analyzing this any further, but it certainly looks kinda fucked..../set_dname?name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaFor other vulnerabilities in UIProto see CVE-2019-13473 and CVE-2019-13474 discovered by Benjamin K.M. These reports also mention other devices that are possibly affected by this as well.Also, if anyone knows how to re-enable telnetd on the patched version of UIProto, please let me know!Love,naphthalin[1] https://github.com/kayrus/iradio[2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio[3] https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution

Related news

CVE-2019-13474: Dabman & Imerpial - HTML AutoPwner

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

CVE-2019-13474: Dabman & Imerpial - HTML AutoPwner

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

Packet Storm: Latest News

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download