lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <03d32c06-15a1-4969-8045-d7cd09ccddfa@quietgarden.net>
Date: Mon, 4 Sep 2023 08:45:04 +0200
From: naphthalin via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Vulnerabilities in Internet Radio auna IR-160 SE (UIProto)

The internet radio device auna IR-160 SE has multiple vulnerabilities. 
It uses the firmware UIProto, different versions of which can also be 
found in many other radios.

1. The firmware offers a rudimentary web API that can be reached on the 
local network on port 80. This API is completely unauthenticated, 
allowing anyone to control the radio over the local network. (already 
known as CVE-2019-13474, but relevant for the other two findings) [1] 
[2] [3]

2. The web UI does not encode user input, resulting in a XSS 
vulnerability, e.g. when changing the device name as follows:
http://192.168.178.93/set_dname?name=><script>alert(1)</script>

3. The firmware crashes when sending a device name longer than 84 
characters. Some parts of the firmware will recover afterwards and music 
will play again after a few seconds, but the service on port 80 remains 
borked until the radio is reset using the switch on the back. This may 
or may not be a memory corruption vulnerability. I don't feel like 
analyzing this any further, but it certainly looks kinda fucked.
.../set_dname?name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

For other vulnerabilities in UIProto see CVE-2019-13473 and 
CVE-2019-13474 discovered by Benjamin K.M. These reports also mention 
other devices that are possibly affected by this as well.

Also, if anyone knows how to re-enable telnetd on the patched version of 
UIProto, please let me know!

Love,
naphthalin

[1] https://github.com/kayrus/iradio
[2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio
[3] 
https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ