lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5653040D.9040708@sba-research.org> Date: Mon, 23 Nov 2015 13:18:21 +0100 From: SBA Research Advisory <advisory@...-research.org> To: <fulldisclosure@...lists.org> Subject: [FD] CVE-2015-8300: Polycom BToE Connector v2.3.0 Privilege Escalation Vulnerability #### Title: Polycom BToE Connector up to version 2.3.0 allows unprivileged windows users to execute arbitrary code with SYSTEM privileges. #### Type of vulnerability: Privilege Escalation ##### Exploitation vector: local ##### Attack outcome: Code execution with SYSTEM privileges. #### Impact: CVSS Base Score 6,2 CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N) #### Software/Product name: Polycom BToE Connector #### Affected versions: All Versions including 2.3.0 #### Fixed in version: Version 3.0.0 (Released March 2015) #### Vendor: Polycom Inc. #### CVE number: CVE-2015-8300 #### Timeline * `2014-12-19` identification of vulnerability * `2015-01-01` vendor contacted via customer * `2015-03-01` vendor released fixed version 3.0.0 * `2015-07-14` contact cve-request@...re. #### Credits: Severin Winkler `swinkler@...-research.org` (SBA Research) Ulrich Bayer `ubayer@...-research.org` (SBA Research) #### References: Download secure version 3.0.0 http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCagreement_BToE_3_0_0.html #### Description: The Polycom BToE Connector Version up to version 2.3.0 allows a local user to gain local administrator privileges. The software creates a windows service running with SYSTEM privileges using the following file (standard installation path): C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe The default installation allows everyone to replace the plcmbtoesrv.exe file allowing unprivileged users to execute arbitrary commands on the windows host. #### Proof-of-concept: *none* Download attachment "0x58F775B2.asc" of type "application/pgp-keys" (3499 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists