lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <18941435343.20021219115420@securityoffice.net>
From: ts at securityoffice.net (Tamer Sahin)
Subject: [SecurityOffice] Polycom Video Conference System Management Server Authentication Bypass Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

- --[ Polycom Video Conference System Management Server Authentication Bypass Vulnerability ]--

- --[ Type

Design Error

- --[ Release Date

December 19, 2002

- --[ Product / Vendor

The Polycom ViewStation FX set top video system provides TV-quality video for
the most demanding video communications needs. Embedded streaming
capabilities let you capture and send meetings, presentations or broadcasts
to anyone equipped with a Web browser. Polycom's unmatched full duplex
sound and tracking technology make video meetings effortless, natural, and
push-button-easy. Audio flexibility and custom application support are extensive.

http://www.polycom.com

- --[ Summary

A problem with the Polycom ViewStation allows some users to change configuration
of the video conferencing system. A bug introduced in the Polycom ViewStation
FX Release v4.2 that could allow users full access on the video conferencing system.
Upon taking advantage of this vulnerability, the user could change the configuration
of the video conferencing system and could change admin password and software
update password.

Polycom ViewStation admin password and software update password is stored in
plain text and can be revealed by viewing the source (http://<host>/a_security.htm)
of the web page.

- --[ Analysis

An analysis for this vulnerability exists and is available below.

a_security.htm source code:

==================== SNIP ====================

<html>
<head>
<title>Admin Password Change</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="style1.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000" background="background1.gif" class="largetext">
<script language="JavaScript">
  var model = "VSFX4";
  var mppSelect = "Meeting";
  var mpp = "";

  function setSelected(list, value)
  {
    //list = document.forms[0].SNAPCAM
    var j;
    for(j = 0; j < list.length; j++)
    {
      if(list.options[j].value == value)
      {
        list.options[j].selected = true;
      }
      else
      {
        list.options[j].selected = false;
      }
    }
  }
</script>
<div align="center">
  <p>Security </p>
  <form method="POST" enctype="application/x-www-form-urlencoded">
    <table border="0" cellspacing="2" class="text2">

      <tr>
        <td class="text2">Meeting Password:</td>
        <td>
*********************** HERE ********************************
          <input type="text" name="viewingpasswrd" value="123">
************************************************************
        </td>
      </tr>
      <tr>
        <td class="text2">Software Update Password:</td>
        <td>
*********************** HERE ********************************
          <input type="text" name="softupdatepasswrd" value="g3kk9g3z">
************************************************************
        </td>
      </tr>
    </table>
    <p><input type="submit" name="Submit" value="Submit">
  </p></form>
</div>
</body>
</html>

==================== SNIP ====================

- --[ Tested

Polycom ViewStation FX Release v4.2

- --[ Vulnerable

Polycom ViewStation FX Release v4.2

- --[ Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of
any of the information and/or the software listed on this security advisory.

- --[ Author

Tamer Sahin
ts@...urityoffice.net
http://www.securityoffice.net

All our advisories can be viewed at http://www.securityoffice.net/articles/

Please send suggestions, updates, and comments to feedback@...urityoffice.net

(c) 2002 SecurityOffice

This Security Advisory may be reproduced and distributed, provided that this
Security Advisory is not modified in any way and is attributed to SecurityOffice
and provided that such reproduction and distribution is performed for
non-commercial purposes.

Tamer Sahin
http://www.securityoffice.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQEVAwUAPgGXTvpL5ibJRTtBAQGYLAgAnkKqcgE7uebVsp1po0pxCDQNECzmci97
RUAeDHQcqjOfwgSUXJo46r6uu0t/mK90ecV/ZaQrAIsmC3Zl6aii3MDj6SZFBm7P
qsIZntHTvy4mSEgQ8cTbcYkT/sgf1AXPiroV5ngwiMVlS9ReiQ4oQRaAdDzQxO9A
ipy0dZ2U5IAtp4/bj7iPwpW0RveQlntxq0BOqJXItF5OmdADBGBZg2MBZwzhVpVN
btjx6ssLphe449uLJDQaIgzT59z0nPayzT7/MT3yVoXxGbqFuqvUdwItL6mVvFRP
9vK7+o07enNitGb3yT5WhaWGVSEVW7fEnJ4tPkTcbZtQTkaNS4cejg==
=zPgz
-----END PGP SIGNATURE-----




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ