Sound4 IMPACT Remote Code Execution Vulnerability via Malicious Firmware Update

A remote code execution vulnerability has been identified in the Sound4 IMPACT web-based management interface, specifically in firmware version 2.33. The issue arises because the firmware update mechanism does not properly validate the integrity of the 'manual.sh' script. This flaw allows an attacker to inject arbitrary commands by modifying the script, repackaging the firmware, and uploading it through the management interface.

Impact

Exploitation of this vulnerability provides full remote shell access as root, allowing unauthorized users to execute commands, gain persistent access, modify system behavior or firmware, and potentially pivot to internal networks if the device is not properly segmented.

Reproduction

To reproduce this vulnerability, access the Sound4 IMPACT web-based management interface. Download the original firmware version 2.33 from the Sound4 support page. Extract the firmware package and modify the 'manual.sh' file by injecting a reverse shell payload. Update the md5sum file to reflect the changes, ensuring the modified 'manual.sh' is included along with the correct checksum. Repackage the firmware, upload the modified package via the web interface, and trigger the update to execute the injected commands.

Remediation

Users are advised to implement strict integrity checks, such as cryptographic signature verification, during the firmware upload process. Additionally, restrict upload functionality to trusted administrators, sanitize and validate the execution of 'manual.sh', and monitor firmware integrity by regularly verifying checksums and timestamps.