Zero Science Lab

An authenticated command injection vulnerability exists in the www-data-handler.php script at line 20, where the 'services' HTTP POST parameter is passed as an argument to the system command "/usr/local/bin/www-data-handler.sh --restartsrv". This allows an attacker to inject arbitrary system commands into the 'services' parameter, which are then executed by the script with the privileges of the 'www-data' user.

The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .ping.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

The application suffers from an unauthenticated live stream disclosure when webplay or ffmpeg scripts are called.

This vulnerability allows a local authenticated user to create a file in the /tmp directory that contains malicious commands. The file must have the filename ending with .dns.pid, and the commands in the file can only be executed once by an external unauthenticated attacker. By calling the vulnerable script and making a single HTTP POST request, the attacker can gain command execution on the system. After the request is made, the file containing the malicious commands will be deleted.

The application is vulnerable to sensitive directory indexing / information disclosure vulnerability. An unauthenticated attacker can visit the log directory and disclose the server's log files containing sensitive and system information.

The application suffers from an unauthenticated stored XSS vulnerability that results in stored JS code and authentication bypass. The issue is triggered when input passed to the 'username' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The application suffers from an unauthenticated directory traversal file write vulnerability. Input passed through the 'filename' POST parameter called by the 'upgrade.php' script is not properly verified before being used to upload .upgbox Firmware files. This can be exploited to write to arbitrary locations on the system via directory traversal attacks.

The server binary has hard-coded credentials within its Linux and Windows distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device. To add/modify other credentials you need to use the SOUND4 Remote Control thick client.

The application allows an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilisation of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.