Polycom ViewStation FX Discloses Administrator Password to Remote Users
|
|
SecurityTracker Alert ID: 1005841 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 20 2002
|
Impact: Disclosure of authentication information, Root access via network
|
Exploit Included: Yes
|
Advisory: SecurityOffice.net
|
Version(s): FX 4.2
|
Description: A vulnerability was reported in the Polycom ViewStation FX management console. A remote user can view the administrator password and gain administrator access to the system.
SecurityOffice.net reported that a remote user can view the HTML source of the following page to obtain the plaintext administrator password and the software update password:
http://<host>/a_security.htm
|
Impact: A remote user can view the administrator and software update passwords.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.polycom.com/products_services/products_voice_home/0,1418,35,00.html (Links to External Site)
|
Cause: Access control error
|
Reported By: Tamer Sahin <ts@securityoffice.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 19 Dec 2002 11:53:35 +0200
From: Tamer Sahin <ts@securityoffice.net>
Subject: [VulnWatch] [SecurityOffice] Polycom Video Conference System Management Server Authentication Bypass Vulnerability
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
- --[ Polycom Video Conference System Management Server Authentication Bypass Vulnerability ]--
- --[ Type
Design Error
- --[ Release Date
December 19, 2002
- --[ Product / Vendor
The Polycom ViewStation FX set top video system provides TV-quality video for
the most demanding video communications needs. Embedded streaming
capabilities let you capture and send meetings, presentations or broadcasts
to anyone equipped with a Web browser. Polycom's unmatched full duplex
sound and tracking technology make video meetings effortless, natural, and
push-button-easy. Audio flexibility and custom application support are extensive.
http://www.polycom.com
- --[ Summary
A problem with the Polycom ViewStation allows some users to change configuration
of the video conferencing system. A bug introduced in the Polycom ViewStation
FX Release v4.2 that could allow users full access on the video conferencing system.
Upon taking advantage of this vulnerability, the user could change the configuration
of the video conferencing system and could change admin password and software
update password.
Polycom ViewStation admin password and software update password is stored in
plain text and can be revealed by viewing the source (http://<host>/a_security.htm)
of the web page.
- --[ Analysis
An analysis for this vulnerability exists and is available below.
a_security.htm source code:
==================== SNIP ====================
<html>
<head>
<title>Admin Password Change</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="style1.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000" background="background1.gif"
class="largetext">
<script language="JavaScript">
var model = "VSFX4";
var mppSelect = "Meeting";
var mpp = "";
function setSelected(list, value)
{
//list = document.forms[0].SNAPCAM
var j;
for(j = 0; j < list.length; j++)
{
if(list.options[j].value == value)
{
list.options[j].selected = true;
}
else
{
list.options[j].selected = false;
}
}
}
</script>
<div align="center">
<p>Security </p>
<form method="POST" enctype="application/x-www-form-urlencoded">
<table border="0" cellspacing="2" class="text2">
<tr>
<td class="text2">Meeting Password:</td>
<td>
*********************** HERE ********************************
<input type="text" name="viewingpasswrd" value="123">
************************************************************
</td>
</tr>
<tr>
<td class="text2">Software Update Password:</td>
<td>
*********************** HERE ********************************
<input type="text" name="softupdatepasswrd" value="g3kk9g3z">
************************************************************
</td>
</tr>
</table>
<p><input type="submit" name="Submit" value="Submit">
</p></form>
</div>
</body>
</html>
==================== SNIP ====================
- --[ Tested
Polycom ViewStation FX Release v4.2
- --[ Vulnerable
Polycom ViewStation FX Release v4.2
- --[ Disclaimer
http://www.securityoffice.net is not responsible for the misuse or illegal use of
any of the information and/or the software listed on this security advisory.
- --[ Author
Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net
All our advisories can be viewed at http://www.securityoffice.net/articles/
Please send suggestions, updates, and comments to feedback@securityoffice.net
(c) 2002 SecurityOffice
This Security Advisory may be reproduced and distributed, provided that this
Security Advisory is not modified in any way and is attributed to SecurityOffice
and provided that such reproduction and distribution is performed for
non-commercial purposes.
Tamer Sahin
http://www.securityoffice.net
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQEVAwUAPgGXIfpL5ibJRTtBAQGTtAf/WyQ19QsKfi2/4Agp4k5QZtkRvsBIR/KN
eAxs8bpTj29WkLw1oTrgklZRZgrEYnunloMYZIU5wJNQ75xnM2inIT1wZ/lojhAj
dz2hyh66kA9l+Ojg5E381clGRtOtBM1MlA8QStb8o2q9dTVG7aUsRynqVh+XvWvW
C8Se+ipmPeCPnyypG3Mp9O55oKnXIJo1jSwAYcHMGzZQBAtcPy0PrQQmT02BvCHo
5WCI8GjLvxBpic4Jd/+m7JS40ujNegoD2OJdzRa0pCZzn64lZI5hLiVezzzoJcrj
Y5eWNBoBlkrnun8DCIEwhlx/F1igRMRP6ZDxNctcAKAqMZuisxSwrg==
=GJ1Y
-----END PGP SIGNATURE-----
|
|
