Information Security all in one place!

Polycom: Web Management Interface; Multiple Vulnerabilities

Path Traversal on Polycom Web Management Interface:

System affected: Polycom Web Management Interface
Model: G3/HDX 8000 HD, among others
Software Version: Durango 2.6.0 Release – build #4740

Embedded Linux: Polycom Linux Development Platform v2.14.g3

Other versions or models may also be affected.

Successful exploitation of this vulnerability may allow an attacker to view content of any arbitrary file on Polycom operating system.

Detailed description:

The web management interface on the Polycom device allows users todownload two log files (“system log” and “error log“). This feature is available through the following menus:

 Diagnostics –> System Log –> Download Logs

The access to these log files is provided by the script “a_getlog.cgi”, which receives the name of the log file (“messages” or “error”) to be downloaded through URL parameter “name”, as shown on the above URL:

http://<affected_device>/a_getlog.cgi?name=messages

The Path Traversal vulnerability occurs due to lack of proper input validation on user supplied data.

This vulnerability allows the attacker to navigate in the directory structure, thus enabling access to arbitrary files in Polycom’s operating system.

As a proof-of-concept, it’s possible to download “/etc/passwd” file accessing the following URL:

http://<affected_device>/a_getlog.cgi?name=../../../etc/passwd

To fix this vulnerability, Polycom Web Management Interface should perform proper input validation, sanitizing all user supplied data before it’s used elsewhere on the web application or in the underlying operating system.

Also, Polycom Web Management Interface should not allow itself to be accessed without proper configuration of a strong administrative password.

You can read more here about this vulnerabilitiy:  http://www.tempest.com.br/advisories/tsi-adv-1201/

Customers can download version 3.0 and newer at the link provided below:

http://support.polycom.com/PolycomService/support/us/support/video/hdx_series/

Polycom Web Management Interface O.S. Command Injection

System affected: Polycom Web Management Interface

Model: G3/HDX 8000 HD
Software Version: Durango 2.6.0 Release – build #4740
Embedded Linux: Polycom Linux Development Platform v2.14.g3

Other versions or models may also be affected.

Impact: Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands on Polycom operating system.

The web management interface on the Polycom device allows users to execute troubleshooting network tests by sending an ICMP echo request to user supplied hosts. This feature is available through the following menus:

 Diagnostics –> Network –> PING

This feature receives user supplied input and uses it as a parameter to the ‘ping’ command, returning the average round-trip time. For example: if the user inserts the value ‘127.0.0.1’ in the form, the system will execute the command “ping -c 1 127.0.0.1” followed by an stdout redirection to a random generated filename on /tmp directory.

The Command Injection vulnerability occurs due to lack of proper input validation on user supplied data.

UNIX based systems provide the possibility to execute multiple commands by using the semi-colon (;) character (causing the system to run all commands consecutively), thus allowing the attacker to submit a specially crafted parameter to run arbitrary commands on the underlying operating system.

The stdout redirection can be easily bypassed by adding a comment (#) symbol after the trailling command submitted by the attacker, as shown in the following example:

127.0.0.1 ; ps -ef > /tmp/command_injection.txt #

The above parameter will result in the execution of two commands:

 (#1) ping -c 1 127.0.0.1
   (#2) ps -ef > /tmp/command_injection.txt # <…>

Any command inserted by Polycom’s web management interface after user supplied input will be disabled by the comment symbol, thus allowing the attacker to precisely control what she wants to execute and where its output will be stored.

To fix this vulnerability, Polycom Web Management Interface should perform proper input validation, sanitizing all user supplied data before it’s used elsewhere on the web application or in the underlying operating system.

Also, Polycom Web Management Interface should not allow itself to be accessed without proper configuration of a strong administrative password.

Still according to Polycom, customers will be able to download version 3.0.4 by the end of March, 2012, at the link provided below:

– http://support.polycom.com/PolycomService/support/us/support/video/hdx_series/

Advertisements

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s