SOUND4 Impact/Pulse/First/Eco Command Injection Vulnerability in dns.php

A command injection vulnerability has been identified in SOUND4 IMPACT, FIRST, PULSE, and ECO versions through 2.x. This vulnerability allows local authenticated users to create files in the /tmp directory with a .dns.pid extension, containing malicious commands. Unauthenticated attackers can then execute these commands by sending an HTTP POST request to the dns.php script, which triggers the command execution and subsequently deletes the file.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the server.

Reproduction

To reproduce this vulnerability, a local authenticated user can create a file in the /tmp directory with the .dns.pid extension, containing malicious commands. After the file is created, an external unauthenticated attacker can send an HTTP POST request to the dns.php script, including the network ID that corresponds to the .dns.pid file. This request will execute the commands contained in the file on the server.