#### Title: Polycom BToE Connector up to version 2.3.0 allows unprivileged windows users to execute arbitrary code with SYSTEM privileges. #### Type of vulnerability: Privilege Escalation ##### Exploitation vector: local ##### Attack outcome: Code execution with SYSTEM privileges. #### Impact: CVSS Base Score 6,2 CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N) #### Software/Product name: Polycom BToE Connector #### Affected versions: All Versions including 2.3.0 #### Fixed in version: Version 3.0.0 (Released March 2015) #### Vendor: Polycom Inc. #### CVE number: CVE-2015-8300 #### Timeline * `2014-12-19` identification of vulnerability * `2015-01-01` vendor contacted via customer * `2015-03-01` vendor released fixed version 3.0.0 * `2015-07-14` contact cve-request@mitre. #### Credits: Severin Winkler `swinkler@sba-research.org` (SBA Research) Ulrich Bayer `ubayer@sba-research.org` (SBA Research) #### References: Download secure version 3.0.0 http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCagreement_BToE_3_0_0.html #### Description: The Polycom BToE Connector Version up to version 2.3.0 allows a local user to gain local administrator privileges. The software creates a windows service running with SYSTEM privileges using the following file (standard installation path): C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe The default installation allows everyone to replace the plcmbtoesrv.exe file allowing unprivileged users to execute arbitrary commands on the windows host. #### Proof-of-concept: *none*