Zero Science Lab

SOUND4 products suffer from an unauthenticated remote code execution vulnerability. An attacker can exploit this vulnerability by abusing the firmware upgrade/upload functionality, which contains a path traversal flaw. This allows the attacker to arbitrarily write a malicious file to a location on the system with www-data permissions, which can be executed to gain unauthorized access.

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .traceroute.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

The application suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'username' HTTP POST parameter through index.php and login.php script.

The application suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'password' HTTP POST parameter through index.php and login.php script.

An authenticated command injection vulnerability exists in the www-data-handler.php script at line 20, where the 'services' HTTP POST parameter is passed as an argument to the system command "/usr/local/bin/www-data-handler.sh --restartsrv". This allows an attacker to inject arbitrary system commands into the 'services' parameter, which are then executed by the script with the privileges of the 'www-data' user.

The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .ping.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

The application suffers from an unauthenticated live stream disclosure when webplay or ffmpeg scripts are called.

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .dns.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

The application is vulnerable to sensitive directory indexing / information disclosure vulnerability. An unauthenticated attacker can visit the log directory and disclose the server's log files containing sensitive and system information.