Sound4 PULSE-ECO AES67 Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Sound4 PULSE-ECO AES67 web-based management interface, specifically in firmware version 1.22. The vulnerability arises from the update mechanism's failure to properly validate the integrity of the 'manual.sh' script in firmware update packages. This flaw allows an attacker to inject arbitrary commands by modifying 'manual.sh' and repackaging the firmware. Exploitation involves uploading the malicious firmware through the web interface, which then executes the injected commands with root privileges.

Impact

Exploitation of this vulnerability provides full remote shell access as root, allowing unauthorized users to execute commands, gain persistent access to the device, modify system behavior or firmware, and potentially pivot to internal networks if the device is not properly segmented.

Reproduction

To reproduce this vulnerability, access the web-based management interface of a Sound4 PULSE-ECO AES67 device running firmware 1.22. Download the original firmware from the Sound4 support page and extract it. Modify the 'manual.sh' file to include a reverse shell payload, update the md5sum file to reflect the changes, and ensure all necessary files are included in the firmware package. Repackage the firmware, upload the modified package via the web interface, and the device will execute the 'manual.sh' script, triggering the reverse shell.

Remediation

It is recommended to implement strict integrity checks, such as cryptographic signature verification, during the firmware update process. Additionally, restrict the firmware upload functionality to trusted administrators only, and regularly monitor firmware integrity by verifying checksums and timestamps.