Share
## https://sploitus.com/exploit?id=PACKETSTORM:174503
The internet radio device auna IR-160 SE has multiple vulnerabilities.   
It uses the firmware UIProto, different versions of which can also be   
found in many other radios.  
  
1. The firmware offers a rudimentary web API that can be reached on the   
local network on port 80. This API is completely unauthenticated,   
allowing anyone to control the radio over the local network. (already   
known as CVE-2019-13474, but relevant for the other two findings) [1]   
[2] [3]  
  
2. The web UI does not encode user input, resulting in a XSS   
vulnerability, e.g. when changing the device name as follows:  
http://192.168.178.93/set_dname?name=><script>alert(1)</script>  
  
3. The firmware crashes when sending a device name longer than 84   
characters. Some parts of the firmware will recover afterwards and music   
will play again after a few seconds, but the service on port 80 remains   
borked until the radio is reset using the switch on the back. This may   
or may not be a memory corruption vulnerability. I don't feel like   
analyzing this any further, but it certainly looks kinda fucked.  
.../set_dname?name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa  
  
For other vulnerabilities in UIProto see CVE-2019-13473 and   
CVE-2019-13474 discovered by Benjamin K.M. These reports also mention   
other devices that are possibly affected by this as well.  
  
Also, if anyone knows how to re-enable telnetd on the patched version of   
UIProto, please let me know!  
  
Love,  
naphthalin  
  
[1] https://github.com/kayrus/iradio  
[2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio  
[3]   
https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution