[NT] Polycom Video Conference System Management Server Authentication Bypass Vulnerability

From: support@securiteam.com
Date: 12/25/02

  • Next message: support@securiteam.com: "[UNIX] Matlab Uses the /tmp Directory Insecurely" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 25 Dec 2002 11:19:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Polycom Video Conference System Management Server Authentication Bypass
    Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The Polycom ViewStation FX set top video system provides TV-quality video
    for the most demanding video communications needs. Embedded streaming
    capabilities let you capture and send meetings, presentations or
    broadcasts to anyone equipped with a Web browser. Polycom's unmatched full
    duplex sound and tracking technology make video meetings effortless,
    natural, and push-button-easy. Audio flexibility and custom application
    support are extensive.

    A problem with the Polycom ViewStation allows some users to change
    configuration of the video conferencing system. A bug introduced in the
    Polycom ViewStation FX Release v4.2 that could allow users full access on
    the video conferencing system. Upon taking advantage of this
    vulnerability, the user could change the configuration of the video
    conferencing system and could change admin password and software update
    password.

    Polycom ViewStation admin password and software update password is stored
    in plain text and can be revealed by viewing the source
    (http:///a_security.htm) of the web page.

    DETAILS

    Analysis:
    An analysis for this vulnerability exists and is available below.

    a_security.htm source code:

     ==================== SNIP ====================

    <html>
    <head>
    <title>Admin Password Change</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <link rel="style***" href="style1.css" type="text/css">
    </head>

    <body bgcolor="#FFFFFF" text="#000000" background="background1.gif"
    class="largetext">
    <script language="JavaScript">
      var model = "VSFX4";
      var mppSelect = "Meeting";
      var mpp = "";

      function setSelected(list, value)
      {
        //list = document.forms[0].SNAPCAM
        var j;
        for(j = 0; j < list.length; j++)
        {
          if(list.options[j].value == value)
          {
            list.options[j].selected = true;
          }
          else
          {
            list.options[j].selected = false;
          }
        }
      }
    </script>
    <div align="center">
      <p>Security </p>
      <form method="POST" enctype="application/x-www-form-urlencoded">
        <table border="0" cellspacing="2" class="text2">

          <tr>
            <td class="text2">Meeting Password:</td>
            <td>
    *********************** HERE ********************************
              <input type="text" name="viewingpasswrd" value="123">
    ************************************************************
            </td>
          </tr>
          <tr>
            <td class="text2">Software Update Password:</td>
            <td>
    *********************** HERE ********************************
              <input type="text" name="softupdatepasswrd" value="g3kk9g3z">
    ************************************************************
            </td>
          </tr>
        </table>
        <p><input type="submit" name="Submit" value="Submit">
      </p></form>
    </div>
    </body>
    </html>

     ==================== SNIP ====================

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ts@securityoffice.net> Tamer
    Sahin.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    • Quantcast