lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5653040D.9040708@sba-research.org>
Date: Mon, 23 Nov 2015 13:18:21 +0100
From: SBA Research Advisory <advisory@...-research.org>
To: <fulldisclosure@...lists.org>
Subject: [FD] CVE-2015-8300: Polycom BToE Connector v2.3.0 Privilege
 Escalation Vulnerability

#### Title:
Polycom BToE Connector up to version 2.3.0 allows unprivileged windows
users to execute arbitrary code with SYSTEM privileges.

#### Type of vulnerability:
Privilege Escalation
##### Exploitation vector:
local
##### Attack outcome:
Code execution with SYSTEM privileges.
#### Impact:
CVSS Base Score 6,2
CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N)
#### Software/Product name:
Polycom BToE Connector
#### Affected versions:
All Versions including 2.3.0

#### Fixed in version:
Version 3.0.0 (Released March 2015)

#### Vendor:
Polycom Inc.
#### CVE number:
CVE-2015-8300
#### Timeline
* `2014-12-19` identification of vulnerability
* `2015-01-01` vendor contacted via customer
* `2015-03-01` vendor released fixed version 3.0.0
* `2015-07-14` contact cve-request@...re.

#### Credits:
Severin Winkler `swinkler@...-research.org` (SBA Research)
Ulrich Bayer `ubayer@...-research.org` (SBA Research)
#### References:
Download secure version 3.0.0
http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCagreement_BToE_3_0_0.html

#### Description:
The Polycom BToE Connector Version up to version 2.3.0 allows a local
user to gain
local administrator privileges.

The software creates a windows service running with SYSTEM privileges
using the following file (standard installation path):

C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe

The default installation allows everyone to replace the plcmbtoesrv.exe
file allowing unprivileged users to execute arbitrary commands on the
windows host.

#### Proof-of-concept:
*none*



Download attachment "0x58F775B2.asc" of type "application/pgp-keys" (3499 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ