The application allows the usage of the SVDRP protocol/commands to be sent by a remote attacker to manipulate and/or control remotely the TV.

Title: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit  
Advisory ID: ZSL-2022-5714  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 16.10.2022

**Summary**

MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems.

**Description**

The application allows the usage of the SVDRP protocol/commands to be sent by a remote attacker to manipulate and/or control remotely the TV.

**Vendor**

MiniDVBLinux - https://www.minidvblinux.de

**Affected Version**

<=5.4

**Tested On**

MiniDVBLinux 5.4  
BusyBox v1.25.1  
Architecture: armhf, armhf-rpi2  
GNU/Linux 4.19.127.203 (armv7l)  
VideoDiskRecorder 2.4.6

**Vendor Status**

\[24.09.2022\] Vulnerability discovered.  
\[27.09.2022\] Vendor contacted.  
\[15.10.2022\] No response from the vendor.  
\[16.10.2022\] Public security advisory released.

**PoC**

mldhd\_svdrp.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[16.10.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit

The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

Title: MiniDVBLinux 5.4 Config Download Exploit  
Advisory ID: ZSL-2022-5713  
Type: Local/Remote  
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information, System Access, DoS, Privilege Escalation  
Risk: (5/5)  
Release Date: 16.10.2022

**Summary**

MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems.

**Description**

The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

**Vendor**

MiniDVBLinux - https://www.minidvblinux.de

**Affected Version**

<=5.4

**Tested On**

MiniDVBLinux 5.4  
BusyBox v1.25.1  
Architecture: armhf, armhf-rpi2  
GNU/Linux 4.19.127.203 (armv7l)  
VideoDiskRecorder 2.4.6

**Vendor Status**

\[24.09.2022\] Vulnerability discovered.  
\[27.09.2022\] Vendor contacted.  
\[15.10.2022\] No response from the vendor.  
\[16.10.2022\] Public security advisory released.

**PoC**

mldhd\_config.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[16.10.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

MiniDVBLinux 5.4 Config Download Exploit

SoX suffers from a division by zero attack when handling WAV files, resulting in denial of service vulnerability and possibly loss of data.

Title: SoX 14.4.2 (wav.c) Division By Zero  
Advisory ID: ZSL-2022-5712  
Type: Local  
Impact: DoS  
Risk: (2/5)  
Release Date: 18.09.2022

**Summary**

SoX (Sound eXchange) is the Swiss Army knife of sound processing tools: it can convert sound files between many different file formats and audio devices, and can apply many sound effects and transformations, as well as doing basic analysis and providing input to more capable analysis and plotting tools.

**Description**

SoX suffers from a division by zero attack when handling WAV files, resulting in denial of service vulnerability and possibly loss of data.

**Vendor**

Chris Bagwell - http://sox.sourceforge.net

**Affected Version**

<=14.4.2

**Tested On**

Ubuntu 18.04.6 LTS  
Microsoft Windows 10 Home

**Vendor Status**

N/A

**PoC**

sox\_div0.txt  
sox\_div0.wav.zip

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[18.09.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

SoX 14.4.2 (wav.c) Division By Zero

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS  
Advisory ID: ZSL-2022-5711  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (4/5)  
Release Date: 11.09.2022

**Summary**

The ETAP Safety Manager (ESM) is a central managing and control system that helps you to monitor, adjust and maintain your emergency lighting system. Therefore each luminaire connected to your ESM network is given a unique code. The ESM can easily identify the luminaires individually and automatically report whether all luminaires work properly. You can either choose between a wired or wireless network, or a combination of both. With ESM you will not only manage your self contained or your centrally supplied ‘ETAP Battery System’ (EBS) emergency luminaires’, but also DALI emergency units and K9 LED modules, which you can build into your luminaires. Since your ESM system is connected to the Internet, you will always have access to it through the World Wide Web. ESMweb™ is an ‘embedded web server’ application for monitoring an emergency lighting system, which runs in the ‘ESM web controller’. The ESMweb™ application can be accessed from any PC in the corporate network or connected to the Internet - by a standard web browser.

**Description**

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

ETAP Lighting International NV - https://www.etaplighting.com

**Affected Version**

1.0.0.32

**Tested On**

Apache/2.4.41 (Ubuntu)

**Vendor Status**

N/A

**PoC**

etap\_xss.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[11.09.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS

The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit  
Advisory ID: ZSL-2022-5710  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 20.07.2022

**Summary**

SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants.

Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems... you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide!

The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.

Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls.

**Description**

The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam.

\--------------------------------------------------------------------------------

/www/delsnap.pl:  
----------------

01: #!/usr/bin/perl  
02: use IO::Handle;  
03:  
04:  
05: select(STDERR);  
06: $| = 1;  
07: select(STDOUT);  
08: $| = 1;  
09:  
10: #print "\r\n\r\n";  
11:  
12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';  
13: use CGI;  
14:  
15: my $PROGNAME = "delsnap.pl";  
16:  
17: my $cgi = new CGI();  
18:  
19: my $name = $cgi->param('name');  
20: if ($name eq "list") {  
21:     print "\r\n\r\n";  
22:     print "DATA=";  
23:     print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;  
24:     exit(0);  
25: }  
26: if ($name eq "deleteall") {  
27:     print "\r\n\r\n";  
28:     print "DELETINGALL=TRUE&";  
29:     print `rm /mnt/microsd/clipsal/ugen/imgs/*`;  
30:     print "COMPLETED=true\n";  
31:     exit(0);  
32: }  
33: #print "name $name\n";  
34: print "\r\n\r\n";  
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";  
36:  
37: unlink $filename or die "COMPLETED=false\n";  
38:  
39: print "COMPLETED=true\n";

  
\--------------------------------------------------------------------------------

**Vendor**

Schneider Electric SE - https://www.se.com

**Affected Version**

SpaceLogic C-Bus Home Controller (5200WHC2)  
formerly known as C-Bus Wiser Home Controller MK2  
V1.31.460 and prior  
Firmware: 604

**Tested On**

Machine: OMAP3 Wiser2 Board  
CPU: ARMv7 revision 2  
GNU/Linux 2.6.37 (armv7l)  
BusyBox v1.22.1  
thttpd/2.25b  
Perl v5.20.0  
Clipsal 81  
Angstrom 2009.X-stable  
PICED 4.14.0.100  
lighttpd/1.7  
GCC 4.4.3  
NodeJS v10.15.3

**Vendor Status**

\[27.03.2022\] Vulnerability discovered.  
\[31.03.2022\] Reported the vulnerability to the vendor.  
\[31.03.2022\] Vendor receives PoC, starts analysis and creates SE-6334 (Remote Root Exploit).  
\[11.04.2022\] Asked vendor for confirmation and status update.  
\[11.04.2022\] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.  
\[20.04.2022\] Asked vendor for confirmation and scheduled patch release date.  
\[21.04.2022\] Vendor is still analyzing.  
\[30.04.2022\] Asked vendor for status update.  
\[02.05.2022\] Vendor states that the product team has finalized their action plan and has provided a tentative fix release date of end of June.  
\[02.05.2022\] Replied to the vendor.  
\[02.05.2022\] The product team is working diligently on the fix. If there are any changes to the release date, we will let you know immediately.  
\[03.06.2022\] Asked vendor for status update.  
\[03.06.2022\] Vendor responds, tentative fix release date remains end of June.  
\[27.06.2022\] Asked vendor for status update.  
\[28.06.2022\] Vendor is finalizing the security notification and expecting to disclose on July 12th 2022.  
\[30.06.2022\] Vendor sends encrypted draft advisory for review.  
\[02.07.2022\] Sent our encrypted draft advisory for alignment of content.  
\[08.07.2022\] Vendor reviews the advisory and agrees that it is aligned with the contents. Provided advisory URL and asked for release date.  
\[10.07.2022\] Replied to the vendor with scheduled advisory release date.  
\[12.07.2022\] Vendor released advisory SEVD-2022-193-02.  
\[20.07.2022\] Coordinated public security advisory released.

**PoC**

SpaceLogic.ps1

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp  
\[2\] https://download.schneider-electric.com/files?p\_enDocType=Security+and+Safety+Notice&p\_File\_Name=SEVD-2022-193-02\_SpaceLogic-C-Bus-Home-Controller-Wiser\_MK2\_Security\_Notification.pdf  
\[3\] https://www.se.com/ww/en/work/support/cybersecurity/wall-of-thanks.jsp  
\[4\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753  
\[5\] https://nvd.nist.gov/vuln/detail/CVE-2022-34753

**Changelog**

\[20.07.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit

The device suffers from multiple vulnerabilities including: Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal  
Advisory ID: ZSL-2022-5709  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information  
Risk: (4/5)  
Release Date: 30.06.2022

**Summary**

pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems.

**Description**

The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

**Vendor**

CAREL INDUSTRIES S.p.A. - https://www.carel.com

**Affected Version**

Firmware: A2.1.0 - B2.1.0  
Application Software: 2.15.4A  
Software version: v16 13020200

**Tested On**

GNU/Linux 4.11.12 (armv7l)  
thttpd/2.29

**Vendor Status**

\[10.05.2022\] Vulnerability discovered.  
\[27.05.2022\] Vendor contacted.  
\[27.05.2022\] Vendor responds creating request ID 00027344. Will come back soon with an answer.  
\[29.06.2022\] No response from the vendor.  
\[30.06.2022\] Public security advisory released.

**PoC**

carelpco\_dir.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.06.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

Title: JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities  
Advisory ID: ZSL-2022-5708  
Type: Local/Remote  
Impact: Cross-Site Scripting, Spoofing, System Access  
Risk: (4/5)  
Release Date: 14.06.2022

**Summary**

This ONU is the perfect GEPON home and business gateway. It is an all-rounder in perfection. It can BRIDGE/NAT/RIP ROUTEND and COMBINED.

**Description**

The device suffers from multiple vulnerabilities including: Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

**Vendor**

JM-DATA GmbH - https://www.jm-data.at

**Affected Version**

1.0.67  
1.0.62  
1.0.55

**Tested On**

Boa/0.93.15

**Vendor Status**

N/A

**PoC**

jm\_data-JF511-TV\_info.txt

**Credits**

Vulnerability discovered by Neurogenesia - <neurogenesia@segfault.mk\>

**References**

N/A

**Changelog**

\[14.06.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities

The automation controller suffers from an authenticated arbitrary command execution vulnerability. An attacker can abuse the Start-up (init) script editor and exploit the 'script' POST parameter to insert malicious Lua script code and execute commands with root privileges that will grant full control of the device.

Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit  
Advisory ID: ZSL-2022-5707  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 29.05.2022

**Summary**

The C-Bus Network Automation Controller (5500NAC) and the Wiser for C-Bus Automation Controller (5500SHAC)) is an advanced controller from Schneider Electric. It is specifically designed to unite the C-Bus home automation solution with common household communication protocols, from lighting and climate control, to security, entertainment and energy metering. The Wiser for C-Bus Automation Controller manages and controls C-Bus systems for residential homes or zones within a building and integrates functions such as heating/cooling, energy/load monitoring and remote control for C-Bus and Modbus.

**Description**

The automation controller suffers from an authenticated arbitrary command execution vulnerability. An attacker can abuse the Start-up (init) script editor and exploit the 'script' POST parameter to insert malicious Lua script code and execute commands with root privileges that will grant full control of the device.

**Vendor**

Schneider Electric SE - https://www.se.com

**Affected Version**

CLIPSAL 5500SHAC (i.MX28)  
CLIPSAL 5500NAC (i.MX28)  
SW: 1.10.0, 1.6.0  
HW: 1.0  
Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2  
SpaceLogic C-Bus

**Tested On**

CPU model: ARM926EJ-S rev 5 (v5l)  
GNU/Linux 4.4.115 (armv5tejl)  
LuaJIT 2.0.5  
FlashSYS v2  
nginx

**Vendor Status**

\[12.03.2022\] Vulnerability discovered.  
\[15.03.2022\] Sent details to vendor.  
\[17.03.2022\] Vendor creates case SE-6201, starts investigation.  
\[25.03.2022\] Asked vendor for status update.  
\[26.03.2022\] Vendor responds, assessment is still ongoing.  
\[30.03.2022\] Vendor cannot reproduce with provided info, requests proof of execution.  
\[31.03.2022\] Sent encrypted PoC script to the vendor.  
\[31.03.2022\] Vendor receives PoC, starts analysis.  
\[11.04.2022\] Asked vendor for confirmation and status update.  
\[11.04.2022\] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.  
\[20.04.2022\] Asked vendor for confirmation and scheduled patch release date.  
\[21.04.2022\] Vendor confirms SE-6201, working on action plan.  
\[22.04.2022\] Vendor responds: The product team has not accepted this report as a valid vulnerability due to the following analysis:  
The python script mentioned in the report uses the /scada-main/scripting/ editor to execute the lua script to gain remote access to the controller. However, to achieve this, the attacker needs to provide the administrator credentials to execute the script. So, this can be done only when the attacker has the administrator credentials with him. In order to prevent attackers from obtaining administrator credentials, the product implements the following measures to make passwords difficult to brute force.  
Force a user to change the default password the very first time they log in to the controller.  
Uses of a strong password (Combination of characters with uppercase letter, lowercase letter and digit)  
Block access to the controller after certain wrong login attempts.  
\[22.04.2022\] Replied to the vendor. Asked vendor to assign SeeVeeE.  
\[30.04.2022\] Asked vendor for status update.  
\[02.05.2022\] Vendor closes SE-6201 (not a vuln).  
\[29.05.2022\] Public security advisory released.

**PoC**

c-bus.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[29.05.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

Title: Tenda HG6 v3.3.0 Remote Command Injection Vulnerability  
Advisory ID: ZSL-2022-5706  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 03.05.2022

**Summary**

HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1\*GE,3\*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications.

**Description**

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

**Vendor**

Tenda Technology Co.,Ltd. - https://www.tendacn.com

**Affected Version**

Firmware version: 3.3.0-210926  
Software version: v1.1.0  
Hardware Version: v1.0  
Check Version: TD\_HG6\_XPON\_TDE\_ISP

**Tested On**

Boa/0.93.15

**Vendor Status**

\[22.04.2022\] Vulnerability discovered.  
\[26.04.2022\] Vendor contacted.  
\[01.05.2022\] No response from the vendor.  
\[03.05.2022\] Public security advisory released.

**PoC**

tenda\_hg6\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.05.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

The USR IOT industrial router is vulnerable to hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device. The 'usr' account with password 'www.usr.cn' has the highest privileges on the device. The password is also the default WLAN password.

Source

Zero Science Lab