Polycom H.323 Format String

2013.03.16
Credit: Moritz Jodeit
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-134

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2013.004 15-Mar-2013 ___________________________________________________________________________ Vendor: Polycom, http://www.polycom.com Affected Products: Polycom HDX Series Affected Version: < 3.1.1.2 Vulnerability: Polycom H.323 Format String Vulnerability Risk: HIGH ___________________________________________________________________________ Overview: For every received H.323 SETUP packet the Polycom HDX system writes a call detail record (CDR) into its internal database. This even happens when the connection is not accepted. The CDR table is stored in a SQLite database which can be found in the /data/polycom/cdr/new/localcdr.db file on the HDX system. Description: One of the items stored in a CDR entry is the remote system name of the H.323 video call. The system name is taken directly from the string placed in the Display information element from the sent H.323 SETUP packet. However no input validation is performed on the string extracted from the packet. After the SQL query string is constructed it is passed to the internal puts() function which ends up calling the vsnprintf() function inside va_logmsg() for logging purposes. The complete SQL query string is passed as the format string argument to vsnprintf() which leads to a format string vulnerability. The following output shows the arguments passed to the va_logmsg() function. Part of the "fmt" format string argument is the embedded Display information element which is under the control of the attacker. (gdb) break *0x1032E3AC Breakpoint 1 at 0x1032e3ac: file ../../../src/Common/OS/logmsg.c, line 747. (gdb) c Breakpoint 5, 0x1032e3ac in va_logmsg (ap=0x5e97d298, level=<optimized out>, component=<optimized out>, fmt=0x5e97d344 "INSERT into CDR_Table values( '23','0','1347451282','1347451282','---','WE CONTROL THIS %n%n%n','','---', 'h323','0','','1','365','1','0','---','---','terminal','','---','---', '---','---','---','---','The call has ended.','16','0','---','---','---', '---','---','---','---','---','---','---','---','---','25');") at ../../../src/Common/OS/logmsg.c:747 Since the attacker controls the format string through the sent remote system name, he can easily crash the system by sending a single H.323 SETUP packet with a remote system name such as "%n%n%n". However this bug also allows remote code execution by sending several specially formed H.323 SETUP packets. This allows a complete system compromise of the HDX system over the network. Impact: This vulnerability can be exploited by an unauthenticated attacker over the network as long as the H.323 protocol is enabled. The auto-answer call feature must not be enabled for the exploit to succeed. Successful exploitation gives an attacker complete root access to the HDX system and thus full control over the device. n.runs successfully developed a proof-of-concept exploit which demonstrates remote code execution over the network. Solution: Polycom released version 3.1.1.2 of the HDX software which fixes this issue. It can be downloaded from the Polycom Support page at http://support.polycom.com. ___________________________________________________________________________ Credit: Bug found by Moritz Jodeit of n.runs AG. ___________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.

References:

http://www.nruns.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top